[strongSwan] strongSwan 5.0.0 on OpenWrt: duplicate IKE SA and failed MOBIKE
Mirko Parthey
mirko.parthey at informatik.tu-chemnitz.de
Wed Oct 3 01:04:20 CEST 2012
Hello all,
I tried to use strongSwan 5.0.0 between an OpenWrt and a Debian gateway:
* Debian: wheezy/sid
Linux daniel 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64 GNU/Linux
* OpenWrt: Attitude Adjustment (12.09-beta), bcm47xx
Linux james 3.3.8 #3 Mon Sep 3 16:16:20 UTC 2012 mips GNU/Linux
When the PPP link on OpenWrt was shut down and brought up again with a
new IP address, I noticed the following issues:
* Charon on OpenWrt was unable to perform the MOBIKE address update;
eventually the IKE SA was destroyed and reestablished.
* Both peers initiated an IKE SA and CHILD SAs based on these.
Why wasn't one of them deleted as a duplicate?
This issue showed up in about 50% of my experiments.
Since the same setup was working fine between two Debian gateways,
I suspect OpenWrt or my configuration of it might be a part of the problem.
I would appreciate any help finding the cause.
Thanks,
Mirko
-------------- next part --------------
root at james:/tmp# ipsec start
root at james:/tmp# killall -HUP pppd
root at james:/tmp# ipsec statusall >> statusall
root at james:/tmp# ipsec statusall >> statusall
root at james:/tmp# ipsec statusall >> statusall
------------------------------------------------------------------------
root at daniel:/tmp# ipsec start
root at daniel:/tmp# ipsec statusall >> statusall
root at daniel:/tmp# ipsec statusall >> statusall
root at daniel:/tmp# ipsec statusall >> statusall
------------------------------------------------------------------------
root at james:~# ip monitor addr
Deleted 21: if21 inet 89.246.221.197 peer 62.214.64.210/32 scope global pppoe-wan
[...]
22: if22 inet 89.246.210.233 peer 62.214.64.210/32 scope global pppoe-wan
------------------------------------------------------------------------
root at james:~# tcpdump -i pppoe-wan -n udp port 500 or 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pppoe-wan, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
22:10:44.858618 IP 31.18.87.101.500 > 89.246.210.233.500: isakmp: parent_sa ikev2_init[I]
22:10:46.285666 IP 89.246.210.233.500 > 31.18.87.101.500: isakmp: parent_sa ikev2_init[I]
22:10:46.354246 IP 31.18.87.101.500 > 89.246.210.233.500: isakmp: parent_sa ikev2_init[R]
22:10:48.859944 IP 31.18.87.101.500 > 89.246.210.233.500: isakmp: parent_sa ikev2_init[I]
22:10:50.260335 IP 89.246.210.233.500 > 31.18.87.101.500: isakmp: parent_sa ikev2_init[R]
22:10:50.313288 IP 31.18.87.101.4500 > 89.246.210.233.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
22:10:50.661718 IP 89.246.210.233.4500 > 31.18.87.101.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
22:10:51.009554 IP 31.18.87.101.4500 > 89.246.210.233.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]
22:10:51.246922 IP 89.246.210.233.4500 > 31.18.87.101.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]
^C
9 packets captured
9 packets received by filter
0 packets dropped by kernel
------------------------------------------------------------------------
-------------- next part --------------
Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.3.8, mips):
uptime: 3 minutes, since Oct 02 22:03:06 2012
malloc: sbrk 135168, mmap 0, used 106208, free 28960
worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 7
loaded plugins: charon aes sha1 random nonce x509 pubkey pkcs1 pem gcrypt gmp xcbc hmac kernel-netlink socket-default stroke updown
Listening IP addresses:
172.16.16.250
89.246.210.233
Connections:
daniel: %any...%daniel.dyndns.org IKEv1/2, dpddelay=30s
daniel: local: [james.dyndns.org] uses public key authentication
daniel: cert: "C=DE, CN=james"
daniel: remote: [C=DE, CN=daniel.dyndns.org] uses public key authentication
daniel: cert: "C=DE, CN=daniel.dyndns.org"
daniel: child: 172.16.16.0/24 === 192.168.2.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
daniel[2]: ESTABLISHED 3 minutes ago, 89.246.221.197[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
daniel[2]: IKEv2 SPIs: 659745c7cfb41501_i 7392ca9871227e21_r*, public key reauthentication in 2 hours
daniel[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
daniel[2]: Tasks queued: IKE_MOBIKE
daniel[2]: Tasks active: IKE_DPD
daniel{2}: INSTALLED, TUNNEL, ESP SPIs: ccc77167_i cdf735e9_o
daniel{2}: AES_CBC_128/HMAC_SHA1_96, 339604 bytes_i (114s ago), 36260 bytes_o (115s ago), rekeying in 40 minutes
daniel{2}: 172.16.16.0/24 === 192.168.2.0/24
------------------------------------------------------------------------------------------------------------------------------------------------------
Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.3.8, mips):
uptime: 5 minutes, since Oct 02 22:03:05 2012
malloc: sbrk 135168, mmap 0, used 98168, free 37000
worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 6
loaded plugins: charon aes sha1 random nonce x509 pubkey pkcs1 pem gcrypt gmp xcbc hmac kernel-netlink socket-default stroke updown
Listening IP addresses:
172.16.16.250
89.246.210.233
Connections:
daniel: %any...%daniel.dyndns.org IKEv1/2, dpddelay=30s
daniel: local: [james.dyndns.org] uses public key authentication
daniel: cert: "C=DE, CN=james"
daniel: remote: [C=DE, CN=daniel.dyndns.org] uses public key authentication
daniel: cert: "C=DE, CN=daniel.dyndns.org"
daniel: child: 172.16.16.0/24 === 192.168.2.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
daniel[3]: CONNECTING, 89.246.221.197[%any]...31.18.87.101[%any]
daniel[3]: IKEv2 SPIs: a624cd4c766d6d24_i* 0000000000000000_r
daniel[3]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
------------------------------------------------------------------------------------------------------------------------------------------------------
Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.3.8, mips):
uptime: 8 minutes, since Oct 02 22:03:05 2012
malloc: sbrk 143360, mmap 0, used 118856, free 24504
worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 12
loaded plugins: charon aes sha1 random nonce x509 pubkey pkcs1 pem gcrypt gmp xcbc hmac kernel-netlink socket-default stroke updown
Listening IP addresses:
172.16.16.250
89.246.210.233
Connections:
daniel: %any...%daniel.dyndns.org IKEv1/2, dpddelay=30s
daniel: local: [james.dyndns.org] uses public key authentication
daniel: cert: "C=DE, CN=james"
daniel: remote: [C=DE, CN=daniel.dyndns.org] uses public key authentication
daniel: cert: "C=DE, CN=daniel.dyndns.org"
daniel: child: 172.16.16.0/24 === 192.168.2.0/24 TUNNEL, dpdaction=restart
Security Associations (2 up, 0 connecting):
daniel[4]: ESTABLISHED 37 seconds ago, 89.246.210.233[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
daniel[4]: IKEv2 SPIs: bae31fa7f9faebe9_i 398f00e2dafe114c_r*, public key reauthentication in 2 hours
daniel[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
daniel{4}: INSTALLED, TUNNEL, ESP SPIs: c20b0973_i cb39e522_o
daniel{4}: AES_CBC_128/HMAC_SHA1_96, 95172 bytes_i (0s ago), 13636 bytes_o (0s ago), rekeying in 41 minutes
daniel{4}: 172.16.16.0/24 === 192.168.2.0/24
daniel[3]: ESTABLISHED 37 seconds ago, 89.246.210.233[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
daniel[3]: IKEv2 SPIs: a624cd4c766d6d24_i* 83b216b0e29421cd_r, public key reauthentication in 2 hours
daniel[3]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
daniel{3}: INSTALLED, TUNNEL, ESP SPIs: c5dcc107_i c25d54e9_o
daniel{3}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 41 minutes
daniel{3}: 172.16.16.0/24 === 192.168.2.0/24
------------------------------------------------------------------------------------------------------------------------------------------------------
-------------- next part --------------
Oct 2 22:03:05 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux 3.3.8, mips)
Oct 2 22:03:05 00[LIB] plugin 'test-vectors' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'curl' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'ldap' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'mysql' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'sqlite' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'pkcs11' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'des' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'blowfish' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'sha2' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'md4' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'md5' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'revocation' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'constraints' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'pkcs8' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'pgp' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'dnskey' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'openssl' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'af-alg' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'fips-prf' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'agent' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'cmac' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'ctr' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'ccm' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'gcm' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'attr' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'attr-sql' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'load-tester' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'kernel-pfkey' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'kernel-klips' failed to load: File not found
Oct 2 22:03:05 00[KNL] listening on interfaces:
Oct 2 22:03:05 00[KNL] eth0
Oct 2 22:03:05 00[KNL] eth1
Oct 2 22:03:05 00[KNL] fe80::224:8cff:fe54:eeca
Oct 2 22:03:05 00[KNL] ifb0
Oct 2 22:03:05 00[KNL] fe80::38a7:ceff:feb8:f4d6
Oct 2 22:03:05 00[KNL] br-lan
Oct 2 22:03:05 00[KNL] 172.16.16.250
Oct 2 22:03:05 00[KNL] fe80::224:8cff:fe54:eeca
Oct 2 22:03:05 00[KNL] wlan0
Oct 2 22:03:05 00[KNL] pppoe-wan
Oct 2 22:03:05 00[KNL] 89.246.221.197
Oct 2 22:03:05 00[LIB] plugin 'resolve' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'socket-raw' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'socket-dynamic' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'farp' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'smp' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'sql' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'eap-identity' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'eap-md5' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'eap-mschapv2' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'xauth-generic' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'xauth-eap' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'dhcp' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'ha' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'whitelist' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'led' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'duplicheck' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'coupling' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'uci' failed to load: File not found
Oct 2 22:03:05 00[LIB] plugin 'addrblock' failed to load: File not found
Oct 2 22:03:05 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Oct 2 22:03:05 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Oct 2 22:03:05 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Oct 2 22:03:05 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Oct 2 22:03:05 00[CFG] loading crls from '/etc/ipsec.d/crls'
Oct 2 22:03:05 00[CFG] loading secrets from '/etc/ipsec.secrets'
Oct 2 22:03:05 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/jamesKey.pem'
Oct 2 22:03:05 00[DMN] loaded plugins: charon aes sha1 random nonce x509 pubkey pkcs1 pem gcrypt gmp xcbc hmac kernel-netlink socket-default stroke updown
Oct 2 22:03:05 00[JOB] spawning 16 worker threads
Oct 2 22:03:05 02[CFG] received stroke: add connection 'daniel'
Oct 2 22:03:06 02[CFG] left nor right host is our side, assuming left=local
Oct 2 22:03:06 02[CFG] loaded certificate "C=DE, CN=james" from 'jamesCert.pem'
Oct 2 22:03:06 02[CFG] loaded certificate "C=DE, CN=daniel.dyndns.org" from 'danielCert.pem'
Oct 2 22:03:06 02[CFG] id 'daniel.dyndns.org' not confirmed by certificate, defaulting to 'C=DE, CN=daniel.dyndns.org'
Oct 2 22:03:06 02[CFG] added configuration 'daniel'
Oct 2 22:03:06 10[CFG] received stroke: initiate 'daniel'
Oct 2 22:03:06 10[IKE] queueing IKE_VENDOR task
Oct 2 22:03:06 10[IKE] queueing IKE_INIT task
Oct 2 22:03:06 10[IKE] queueing IKE_NATD task
Oct 2 22:03:06 10[IKE] queueing IKE_CERT_PRE task
Oct 2 22:03:06 10[IKE] queueing IKE_AUTH task
Oct 2 22:03:06 10[IKE] queueing IKE_CERT_POST task
Oct 2 22:03:06 10[IKE] queueing IKE_CONFIG task
Oct 2 22:03:06 10[IKE] queueing IKE_AUTH_LIFETIME task
Oct 2 22:03:06 10[IKE] queueing IKE_MOBIKE task
Oct 2 22:03:06 10[IKE] queueing CHILD_CREATE task
Oct 2 22:03:06 10[IKE] activating new tasks
Oct 2 22:03:06 10[IKE] activating IKE_VENDOR task
Oct 2 22:03:06 10[IKE] activating IKE_INIT task
Oct 2 22:03:06 10[IKE] activating IKE_NATD task
Oct 2 22:03:06 10[IKE] activating IKE_CERT_PRE task
Oct 2 22:03:06 10[IKE] activating IKE_AUTH task
Oct 2 22:03:06 10[IKE] activating IKE_CERT_POST task
Oct 2 22:03:06 10[IKE] activating IKE_CONFIG task
Oct 2 22:03:06 10[IKE] activating CHILD_CREATE task
Oct 2 22:03:06 10[IKE] activating IKE_AUTH_LIFETIME task
Oct 2 22:03:06 10[IKE] activating IKE_MOBIKE task
Oct 2 22:03:06 10[IKE] initiating IKE_SA daniel[1] to 31.18.87.101
Oct 2 22:03:06 10[IKE] IKE_SA daniel[1] state change: CREATED => CONNECTING
Oct 2 22:03:07 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 2 22:03:07 10[NET] sending packet: from 89.246.221.197[500] to 31.18.87.101[500]
Oct 2 22:03:07 12[NET] received packet: from 31.18.87.101[500] to 89.246.221.197[500]
Oct 2 22:03:07 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 2 22:03:09 12[IKE] received cert request for "C=DE, CN=daniel.dyndns.org"
Oct 2 22:03:09 12[IKE] reinitiating already active tasks
Oct 2 22:03:09 12[IKE] IKE_CERT_PRE task
Oct 2 22:03:09 12[IKE] IKE_AUTH task
Oct 2 22:03:09 12[IKE] sending cert request for "C=DE, CN=daniel.dyndns.org"
Oct 2 22:03:10 12[IKE] authentication of 'james.dyndns.org' (myself) with RSA signature successful
Oct 2 22:03:10 12[IKE] establishing CHILD_SA daniel
Oct 2 22:03:10 12[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct 2 22:03:10 12[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct 2 22:03:10 14[NET] received packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct 2 22:03:10 14[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct 2 22:03:10 14[CFG] using trusted certificate "C=DE, CN=daniel.dyndns.org"
Oct 2 22:03:10 14[IKE] authentication of 'C=DE, CN=daniel.dyndns.org' with RSA signature successful
Oct 2 22:03:10 14[IKE] IKE_SA daniel[1] established between 89.246.221.197[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
Oct 2 22:03:10 14[IKE] IKE_SA daniel[1] state change: CONNECTING => ESTABLISHED
Oct 2 22:03:10 14[IKE] scheduling reauthentication in 10164s
Oct 2 22:03:10 14[IKE] maximum IKE_SA lifetime 10704s
Oct 2 22:03:10 14[IKE] delaying task initiation, IKE_AUTH exchange in progress
Oct 2 22:03:10 14[IKE] CHILD_SA daniel{1} established with SPIs cc9bf8e0_i ce306dd9_o and TS 172.16.16.0/24 === 192.168.2.0/24
Oct 2 22:03:10 14[IKE] received AUTH_LIFETIME of 10028s, scheduling reauthentication in 9488s
Oct 2 22:03:10 14[IKE] peer supports MOBIKE
Oct 2 22:03:10 14[IKE] got additional MOBIKE peer address: 192.168.2.3
Oct 2 22:03:10 14[IKE] activating new tasks
Oct 2 22:03:10 14[IKE] nothing to initiate
Oct 2 22:03:12 16[NET] received packet: from 31.18.87.101[500] to 89.246.221.197[500]
Oct 2 22:03:12 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 2 22:03:12 16[IKE] 31.18.87.101 is initiating an IKE_SA
Oct 2 22:03:12 16[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Oct 2 22:03:15 16[IKE] sending cert request for "C=DE, CN=daniel.dyndns.org"
Oct 2 22:03:15 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 2 22:03:15 16[NET] sending packet: from 89.246.221.197[500] to 31.18.87.101[500]
Oct 2 22:03:15 13[NET] received packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct 2 22:03:15 13[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct 2 22:03:15 13[IKE] received cert request for "C=DE, CN=daniel.dyndns.org"
Oct 2 22:03:15 13[CFG] looking for peer configs matching 89.246.221.197[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
Oct 2 22:03:15 13[CFG] selected peer config 'daniel'
Oct 2 22:03:15 13[CFG] using trusted certificate "C=DE, CN=daniel.dyndns.org"
Oct 2 22:03:15 13[IKE] authentication of 'C=DE, CN=daniel.dyndns.org' with RSA signature successful
Oct 2 22:03:15 13[IKE] peer supports MOBIKE
Oct 2 22:03:15 13[IKE] got additional MOBIKE peer address: 192.168.2.3
Oct 2 22:03:16 13[IKE] authentication of 'james.dyndns.org' (myself) with RSA signature successful
Oct 2 22:03:16 13[IKE] deleting duplicate IKE_SA for peer 'C=DE, CN=daniel.dyndns.org' due to uniqueness policy
Oct 2 22:03:16 13[IKE] queueing IKE_DELETE task
Oct 2 22:03:16 13[IKE] activating new tasks
Oct 2 22:03:16 13[IKE] activating IKE_DELETE task
Oct 2 22:03:16 13[IKE] deleting IKE_SA daniel[1] between 89.246.221.197[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
Oct 2 22:03:16 13[IKE] IKE_SA daniel[1] state change: ESTABLISHED => DELETING
Oct 2 22:03:16 13[IKE] sending DELETE for IKE_SA daniel[1]
Oct 2 22:03:16 13[ENC] generating INFORMATIONAL request 2 [ D ]
Oct 2 22:03:16 13[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct 2 22:03:16 13[IKE] IKE_SA daniel[2] established between 89.246.221.197[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
Oct 2 22:03:16 13[IKE] IKE_SA daniel[2] state change: CONNECTING => ESTABLISHED
Oct 2 22:03:16 13[IKE] scheduling reauthentication in 9946s
Oct 2 22:03:16 13[IKE] maximum IKE_SA lifetime 10486s
Oct 2 22:03:16 13[IKE] activating new tasks
Oct 2 22:03:16 13[IKE] nothing to initiate
Oct 2 22:03:16 13[IKE] CHILD_SA daniel{2} established with SPIs ccc77167_i cdf735e9_o and TS 172.16.16.0/24 === 192.168.2.0/24
Oct 2 22:03:16 13[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct 2 22:03:16 13[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct 2 22:03:16 12[NET] received packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct 2 22:03:16 12[ENC] parsed INFORMATIONAL response 2 [ ]
Oct 2 22:03:16 12[IKE] IKE_SA deleted
Oct 2 22:03:16 12[IKE] IKE_SA daniel[1] state change: DELETING => DESTROYING
Oct 2 22:03:45 02[IKE] activating new tasks
Oct 2 22:03:45 02[IKE] nothing to initiate
Oct 2 22:04:15 16[IKE] activating new tasks
Oct 2 22:04:15 16[IKE] nothing to initiate
Oct 2 22:04:44 07[KNL] interface pppoe-wan deactivated
Oct 2 22:04:44 13[IKE] old path is not available anymore, try to find another
Oct 2 22:04:44 13[IKE] looking for a route to 31.18.87.101 ...
Oct 2 22:04:44 07[KNL] 89.246.221.197 disappeared from pppoe-wan
Oct 2 22:04:44 13[IKE] looking for a route to 192.168.2.3 ...
Oct 2 22:04:44 13[IKE] no route found to reach 31.18.87.101, MOBIKE update deferred
Oct 2 22:04:44 07[KNL] interface pppoe-wan deleted
Oct 2 22:04:45 09[IKE] old path is not available anymore, try to find another
Oct 2 22:04:45 09[IKE] looking for a route to 31.18.87.101 ...
Oct 2 22:04:45 09[IKE] looking for a route to 192.168.2.3 ...
Oct 2 22:04:45 09[IKE] no route found to reach 31.18.87.101, MOBIKE update deferred
Oct 2 22:04:45 14[IKE] activating new tasks
Oct 2 22:04:45 14[IKE] nothing to initiate
Oct 2 22:04:45 07[KNL] interface eth1 deactivated
Oct 2 22:04:45 07[KNL] fe80::224:8cff:fe54:eeca disappeared from eth1
Oct 2 22:04:45 11[IKE] old path is not available anymore, try to find another
Oct 2 22:04:45 11[IKE] looking for a route to 31.18.87.101 ...
Oct 2 22:04:45 11[IKE] looking for a route to 192.168.2.3 ...
Oct 2 22:04:45 11[IKE] no route found to reach 31.18.87.101, MOBIKE update deferred
Oct 2 22:05:14 02[IKE] sending DPD request
Oct 2 22:05:14 02[IKE] queueing IKE_DPD task
Oct 2 22:05:14 02[IKE] activating new tasks
Oct 2 22:05:14 02[IKE] activating IKE_DPD task
Oct 2 22:05:14 02[ENC] generating INFORMATIONAL request 0 [ ]
Oct 2 22:05:14 02[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct 2 22:05:14 05[NET] error writing to socket: Invalid argument
Oct 2 22:05:18 16[IKE] retransmit 1 of request with message ID 0
Oct 2 22:05:18 16[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct 2 22:05:18 05[NET] error writing to socket: Invalid argument
Oct 2 22:05:25 12[IKE] retransmit 2 of request with message ID 0
Oct 2 22:05:25 12[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct 2 22:05:25 05[NET] error writing to socket: Invalid argument
Oct 2 22:05:30 07[KNL] interface eth1 activated
Oct 2 22:05:30 13[IKE] old path is not available anymore, try to find another
Oct 2 22:05:30 13[IKE] looking for a route to 31.18.87.101 ...
Oct 2 22:05:30 13[IKE] looking for a route to 192.168.2.3 ...
Oct 2 22:05:30 13[IKE] no route found to reach 31.18.87.101, MOBIKE update deferred
Oct 2 22:05:31 07[KNL] 89.246.210.233 appeared on pppoe-wan
Oct 2 22:05:31 07[KNL] 89.246.210.233 disappeared from pppoe-wan
Oct 2 22:05:31 07[KNL] 89.246.210.233 appeared on pppoe-wan
Oct 2 22:05:31 07[KNL] interface pppoe-wan activated
Oct 2 22:05:31 07[KNL] fe80::224:8cff:fe54:eeca appeared on eth1
Oct 2 22:05:31 10[IKE] old path is not available anymore, try to find another
Oct 2 22:05:31 10[IKE] looking for a route to 31.18.87.101 ...
Oct 2 22:05:31 10[IKE] looking for a route to 192.168.2.3 ...
Oct 2 22:05:31 10[IKE] no route found to reach 31.18.87.101, MOBIKE update deferred
Oct 2 22:05:31 02[IKE] old path is not available anymore, try to find another
Oct 2 22:05:31 02[IKE] looking for a route to 31.18.87.101 ...
Oct 2 22:05:31 02[IKE] sending address list update using MOBIKE, implicitly requesting an address change
Oct 2 22:05:31 02[IKE] queueing IKE_MOBIKE task
Oct 2 22:05:31 02[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct 2 22:05:38 12[IKE] retransmit 3 of request with message ID 0
Oct 2 22:05:38 12[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct 2 22:05:38 05[NET] error writing to socket: Invalid argument
Oct 2 22:05:44 15[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct 2 22:06:02 09[IKE] retransmit 4 of request with message ID 0
Oct 2 22:06:02 09[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct 2 22:06:02 05[NET] error writing to socket: Invalid argument
Oct 2 22:06:14 13[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct 2 22:06:44 02[IKE] retransmit 5 of request with message ID 0
Oct 2 22:06:44 02[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct 2 22:06:44 05[NET] error writing to socket: Invalid argument
Oct 2 22:06:44 12[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct 2 22:07:14 15[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct 2 22:07:44 09[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct 2 22:07:59 13[IKE] giving up after 5 retransmits
Oct 2 22:07:59 13[IKE] restarting CHILD_SA daniel
Oct 2 22:07:59 13[IKE] queueing IKE_VENDOR task
Oct 2 22:07:59 13[IKE] queueing IKE_INIT task
Oct 2 22:07:59 13[IKE] queueing IKE_NATD task
Oct 2 22:07:59 13[IKE] queueing IKE_CERT_PRE task
Oct 2 22:07:59 13[IKE] queueing IKE_AUTH task
Oct 2 22:07:59 13[IKE] queueing IKE_CERT_POST task
Oct 2 22:07:59 13[IKE] queueing IKE_CONFIG task
Oct 2 22:07:59 13[IKE] queueing IKE_AUTH_LIFETIME task
Oct 2 22:07:59 13[IKE] queueing IKE_MOBIKE task
Oct 2 22:07:59 13[IKE] queueing CHILD_CREATE task
Oct 2 22:07:59 13[IKE] activating new tasks
Oct 2 22:07:59 13[IKE] activating IKE_VENDOR task
Oct 2 22:07:59 13[IKE] activating IKE_INIT task
Oct 2 22:07:59 13[IKE] activating IKE_NATD task
Oct 2 22:07:59 13[IKE] activating IKE_CERT_PRE task
Oct 2 22:07:59 13[IKE] activating IKE_AUTH task
Oct 2 22:07:59 13[IKE] activating IKE_CERT_POST task
Oct 2 22:07:59 13[IKE] activating IKE_CONFIG task
Oct 2 22:07:59 13[IKE] activating CHILD_CREATE task
Oct 2 22:07:59 13[IKE] activating IKE_AUTH_LIFETIME task
Oct 2 22:07:59 13[IKE] activating IKE_MOBIKE task
Oct 2 22:07:59 13[IKE] initiating IKE_SA daniel[3] to 31.18.87.101
Oct 2 22:07:59 13[IKE] IKE_SA daniel[3] state change: CREATED => CONNECTING
Oct 2 22:08:01 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 2 22:08:01 13[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct 2 22:08:01 05[NET] error writing to socket: Invalid argument
Oct 2 22:08:01 13[IKE] IKE_SA daniel[2] state change: ESTABLISHED => DESTROYING
Oct 2 22:08:05 11[IKE] retransmit 1 of request with message ID 0
Oct 2 22:08:05 11[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct 2 22:08:05 05[NET] error writing to socket: Invalid argument
Oct 2 22:08:12 14[IKE] retransmit 2 of request with message ID 0
Oct 2 22:08:12 14[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct 2 22:08:12 05[NET] error writing to socket: Invalid argument
Oct 2 22:08:25 10[IKE] retransmit 3 of request with message ID 0
Oct 2 22:08:25 10[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct 2 22:08:25 05[NET] error writing to socket: Invalid argument
Oct 2 22:08:48 02[IKE] retransmit 4 of request with message ID 0
Oct 2 22:08:48 02[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct 2 22:08:48 05[NET] error writing to socket: Invalid argument
Oct 2 22:09:30 09[IKE] retransmit 5 of request with message ID 0
Oct 2 22:09:30 09[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct 2 22:09:30 05[NET] error writing to socket: Invalid argument
Oct 2 22:10:44 14[NET] received packet: from 31.18.87.101[500] to 89.246.210.233[500]
Oct 2 22:10:44 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 2 22:10:45 14[IKE] 31.18.87.101 is initiating an IKE_SA
Oct 2 22:10:45 14[IKE] IKE_SA (unnamed)[4] state change: CREATED => CONNECTING
Oct 2 22:10:46 16[IKE] giving up after 5 retransmits
Oct 2 22:10:46 16[IKE] peer not responding, trying again (2/0)
Oct 2 22:10:46 16[IKE] IKE_SA daniel[3] state change: CONNECTING => CREATED
Oct 2 22:10:46 16[IKE] activating new tasks
Oct 2 22:10:46 16[IKE] activating IKE_VENDOR task
Oct 2 22:10:46 16[IKE] activating IKE_INIT task
Oct 2 22:10:46 16[IKE] activating IKE_NATD task
Oct 2 22:10:46 16[IKE] activating IKE_CERT_PRE task
Oct 2 22:10:46 16[IKE] activating IKE_AUTH task
Oct 2 22:10:46 16[IKE] activating IKE_CERT_POST task
Oct 2 22:10:46 16[IKE] activating IKE_CONFIG task
Oct 2 22:10:46 16[IKE] activating CHILD_CREATE task
Oct 2 22:10:46 16[IKE] activating IKE_AUTH_LIFETIME task
Oct 2 22:10:46 16[IKE] activating IKE_MOBIKE task
Oct 2 22:10:46 16[IKE] initiating IKE_SA daniel[3] to 31.18.87.101
Oct 2 22:10:46 16[IKE] IKE_SA daniel[3] state change: CREATED => CONNECTING
Oct 2 22:10:46 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 2 22:10:46 16[NET] sending packet: from 89.246.210.233[500] to 31.18.87.101[500]
Oct 2 22:10:46 10[NET] received packet: from 31.18.87.101[500] to 89.246.210.233[500]
Oct 2 22:10:46 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 2 22:10:48 02[MGR] ignoring request with ID 0, already processing
Oct 2 22:10:49 10[IKE] received cert request for "C=DE, CN=daniel.dyndns.org"
Oct 2 22:10:49 10[IKE] reinitiating already active tasks
Oct 2 22:10:49 10[IKE] IKE_CERT_PRE task
Oct 2 22:10:49 10[IKE] IKE_AUTH task
Oct 2 22:10:49 10[IKE] sending cert request for "C=DE, CN=daniel.dyndns.org"
Oct 2 22:10:50 14[IKE] sending cert request for "C=DE, CN=daniel.dyndns.org"
Oct 2 22:10:50 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 2 22:10:50 14[NET] sending packet: from 89.246.210.233[500] to 31.18.87.101[500]
Oct 2 22:10:50 12[NET] received packet: from 31.18.87.101[4500] to 89.246.210.233[4500]
Oct 2 22:10:50 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct 2 22:10:50 12[IKE] received cert request for "C=DE, CN=daniel.dyndns.org"
Oct 2 22:10:50 12[CFG] looking for peer configs matching 89.246.210.233[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
Oct 2 22:10:50 12[CFG] selected peer config 'daniel'
Oct 2 22:10:50 12[CFG] using trusted certificate "C=DE, CN=daniel.dyndns.org"
Oct 2 22:10:50 10[IKE] authentication of 'james.dyndns.org' (myself) with RSA signature successful
Oct 2 22:10:50 10[IKE] establishing CHILD_SA daniel
Oct 2 22:10:50 12[IKE] authentication of 'C=DE, CN=daniel.dyndns.org' with RSA signature successful
Oct 2 22:10:50 12[IKE] peer supports MOBIKE
Oct 2 22:10:50 12[IKE] got additional MOBIKE peer address: 192.168.2.3
Oct 2 22:10:50 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct 2 22:10:50 10[NET] sending packet: from 89.246.210.233[4500] to 31.18.87.101[4500]
Oct 2 22:10:51 09[NET] received packet: from 31.18.87.101[4500] to 89.246.210.233[4500]
Oct 2 22:10:51 09[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct 2 22:10:51 09[CFG] using trusted certificate "C=DE, CN=daniel.dyndns.org"
Oct 2 22:10:51 12[IKE] authentication of 'james.dyndns.org' (myself) with RSA signature successful
Oct 2 22:10:51 12[IKE] IKE_SA daniel[4] established between 89.246.210.233[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
Oct 2 22:10:51 09[IKE] authentication of 'C=DE, CN=daniel.dyndns.org' with RSA signature successful
Oct 2 22:10:51 09[IKE] IKE_SA daniel[3] established between 89.246.210.233[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
Oct 2 22:10:51 12[IKE] IKE_SA daniel[4] state change: CONNECTING => ESTABLISHED
Oct 2 22:10:51 12[IKE] scheduling reauthentication in 10086s
Oct 2 22:10:51 09[IKE] IKE_SA daniel[3] state change: CONNECTING => ESTABLISHED
Oct 2 22:10:51 12[IKE] maximum IKE_SA lifetime 10626s
Oct 2 22:10:51 12[IKE] activating new tasks
Oct 2 22:10:51 12[IKE] nothing to initiate
Oct 2 22:10:51 09[IKE] scheduling reauthentication in 9948s
Oct 2 22:10:51 09[IKE] maximum IKE_SA lifetime 10488s
Oct 2 22:10:51 09[IKE] delaying task initiation, IKE_AUTH exchange in progress
Oct 2 22:10:51 09[IKE] CHILD_SA daniel{3} established with SPIs c5dcc107_i c25d54e9_o and TS 172.16.16.0/24 === 192.168.2.0/24
Oct 2 22:10:51 12[IKE] CHILD_SA daniel{4} established with SPIs c20b0973_i cb39e522_o and TS 172.16.16.0/24 === 192.168.2.0/24
Oct 2 22:10:51 12[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct 2 22:10:51 12[NET] sending packet: from 89.246.210.233[4500] to 31.18.87.101[4500]
Oct 2 22:10:51 09[IKE] received AUTH_LIFETIME of 10163s, scheduling reauthentication in 9623s
Oct 2 22:10:51 09[IKE] peer supports MOBIKE
Oct 2 22:10:51 09[IKE] got additional MOBIKE peer address: 192.168.2.3
Oct 2 22:10:51 09[IKE] activating new tasks
Oct 2 22:10:51 09[IKE] nothing to initiate
Oct 2 22:11:20 16[IKE] activating new tasks
Oct 2 22:11:20 16[IKE] nothing to initiate
Oct 2 22:11:20 02[NET] received packet: from 31.18.87.101[4500] to 89.246.210.233[4500]
Oct 2 22:11:20 02[ENC] parsed INFORMATIONAL request 0 [ ]
Oct 2 22:11:20 02[ENC] generating INFORMATIONAL response 0 [ ]
Oct 2 22:11:20 02[NET] sending packet: from 89.246.210.233[4500] to 31.18.87.101[4500]
Oct 2 22:11:21 14[IKE] activating new tasks
Oct 2 22:11:21 14[IKE] nothing to initiate
Oct 2 22:11:50 11[IKE] activating new tasks
Oct 2 22:11:50 11[IKE] nothing to initiate
Oct 2 22:11:51 13[IKE] sending DPD request
Oct 2 22:11:51 13[IKE] queueing IKE_DPD task
Oct 2 22:11:51 13[IKE] activating new tasks
Oct 2 22:11:51 13[IKE] activating IKE_DPD task
Oct 2 22:11:51 13[ENC] generating INFORMATIONAL request 2 [ ]
Oct 2 22:11:51 13[NET] sending packet: from 89.246.210.233[4500] to 31.18.87.101[4500]
Oct 2 22:11:51 16[NET] received packet: from 31.18.87.101[4500] to 89.246.210.233[4500]
Oct 2 22:11:51 16[ENC] parsed INFORMATIONAL response 2 [ ]
Oct 2 22:11:51 16[IKE] activating new tasks
Oct 2 22:11:51 16[IKE] nothing to initiate
-------------- next part --------------
# ipsec.conf - strongSwan IPsec configuration file
config setup
#charondebug="ike 2"
conn %default
keyingtries=%forever
conn daniel
leftcert=jamesCert.pem
leftsendcert=never
leftid=@james.dyndns.org
leftsubnet=172.16.16.0/24
lefthostaccess=yes
right=%daniel.dyndns.org
rightcert=danielCert.pem
rightsubnet=192.168.2.0/24
dpdaction=restart
auto=start
-------------- next part --------------
# strongswan.conf - strongSwan configuration file
charon {
# number of worker threads in charon
threads = 16
# retry DNS lookups every N seconds (0 means off)
retry_initiate_interval = 30
# send strongswan vendor ID?
# send_vendor_id = yes
plugins {
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost/database
}
}
# ...
syslog {
daemon {
default = 0
}
auth {
default = 0
}
}
filelog {
/tmp/charon.log {
# add a timestamp prefix
time_format = %b %e %T
# loggers to files also accept the append option to open files in
# append mode at startup (default is yes)
append = yes
# the default loglevel for all daemon subsystems (defaults to 1).
default = 1
ike=2
# flush each line to disk
flush_line = yes
}
}
}
pluto {
}
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}
-------------- next part --------------
Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.2.0-3-amd64, x86_64):
uptime: 3 minutes, since Oct 02 22:03:01 2012
malloc: sbrk 1581056, mmap 0, used 1449136, free 131920
worker threads: 4 of 16 idle, 11/1/0/0 working, job queue: 0/0/0/0, scheduled: 7
loaded plugins: charon test-vectors curl soup ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default socket-raw socket-dynamic farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-ifmap tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist led radattr addrblock
Listening IP addresses:
31.18.87.101
192.168.2.3
Connections:
james: %any...%james.dyndns.org IKEv1/2, dpddelay=30s
james: local: [C=DE, CN=daniel.dyndns.org] uses public key authentication
james: cert: "C=DE, CN=daniel.dyndns.org"
james: remote: [james.dyndns.org] uses public key authentication
james: cert: "C=DE, CN=james"
james: child: 192.168.2.0/24 === 172.16.16.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
james[1]: ESTABLISHED 3 minutes ago, 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.221.197[james.dyndns.org]
james[1]: IKEv2 SPIs: 659745c7cfb41501_i* 7392ca9871227e21_r, public key reauthentication in 2 hours
james[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
james[1]: Tasks active: IKE_DPD
james{2}: INSTALLED, TUNNEL, ESP SPIs: cdf735e9_i ccc77167_o
james{2}: AES_CBC_128/HMAC_SHA1_96, 36092 bytes_i (128s ago), 339604 bytes_o (129s ago), rekeying in 44 minutes
james{2}: 192.168.2.0/24 === 172.16.16.0/24
------------------------------------------------------------------------------------------------------------------------------------------------------
Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.2.0-3-amd64, x86_64):
uptime: 5 minutes, since Oct 02 22:03:01 2012
malloc: sbrk 1581056, mmap 0, used 1410720, free 170336
worker threads: 4 of 16 idle, 11/1/0/0 working, job queue: 0/0/0/0, scheduled: 6
loaded plugins: charon test-vectors curl soup ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default socket-raw socket-dynamic farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-ifmap tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist led radattr addrblock
Listening IP addresses:
31.18.87.101
192.168.2.3
Connections:
james: %any...%james.dyndns.org IKEv1/2, dpddelay=30s
james: local: [C=DE, CN=daniel.dyndns.org] uses public key authentication
james: cert: "C=DE, CN=daniel.dyndns.org"
james: remote: [james.dyndns.org] uses public key authentication
james: cert: "C=DE, CN=james"
james: child: 192.168.2.0/24 === 172.16.16.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
james[3]: CONNECTING, 31.18.87.101[%any]...89.246.221.197[%any]
james[3]: IKEv2 SPIs: bae31fa7f9faebe9_i* 0000000000000000_r
james[3]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
------------------------------------------------------------------------------------------------------------------------------------------------------
Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.2.0-3-amd64, x86_64):
uptime: 8 minutes, since Oct 02 22:03:01 2012
malloc: sbrk 1581056, mmap 0, used 1506992, free 74064
worker threads: 4 of 16 idle, 11/1/0/0 working, job queue: 0/0/0/0, scheduled: 13
loaded plugins: charon test-vectors curl soup ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default socket-raw socket-dynamic farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-ifmap tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist led radattr addrblock
Listening IP addresses:
31.18.87.101
192.168.2.3
Connections:
james: %any...%james.dyndns.org IKEv1/2, dpddelay=30s
james: local: [C=DE, CN=daniel.dyndns.org] uses public key authentication
james: cert: "C=DE, CN=daniel.dyndns.org"
james: remote: [james.dyndns.org] uses public key authentication
james: cert: "C=DE, CN=james"
james: child: 192.168.2.0/24 === 172.16.16.0/24 TUNNEL, dpdaction=restart
Security Associations (2 up, 0 connecting):
james[4]: ESTABLISHED 31 seconds ago, 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.210.233[james.dyndns.org]
james[4]: IKEv2 SPIs: a624cd4c766d6d24_i 83b216b0e29421cd_r*, public key reauthentication in 2 hours
james[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
james{4}: INSTALLED, TUNNEL, ESP SPIs: c25d54e9_i c5dcc107_o
james{4}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 42 minutes
james{4}: 192.168.2.0/24 === 172.16.16.0/24
james[3]: ESTABLISHED 30 seconds ago, 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.210.233[james.dyndns.org]
james[3]: IKEv2 SPIs: bae31fa7f9faebe9_i* 398f00e2dafe114c_r, public key reauthentication in 2 hours
james[3]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
james{3}: INSTALLED, TUNNEL, ESP SPIs: cb39e522_i c20b0973_o
james{3}: AES_CBC_128/HMAC_SHA1_96, 11868 bytes_i (0s ago), 81032 bytes_o (0s ago), rekeying in 42 minutes
james{3}: 192.168.2.0/24 === 172.16.16.0/24
------------------------------------------------------------------------------------------------------------------------------------------------------
-------------- next part --------------
Oct 2 22:03:01 daniel charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux 3.2.0-3-amd64, x86_64)
Oct 2 22:03:01 daniel charon: 00[CFG] attr-sql plugin: database URI not set
Oct 2 22:03:01 daniel charon: 00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned NULL
Oct 2 22:03:01 daniel charon: 00[CFG] disabling load-tester plugin, not configured
Oct 2 22:03:01 daniel charon: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Oct 2 22:03:01 daniel charon: 00[KNL] listening on interfaces:
Oct 2 22:03:01 daniel charon: 00[KNL] eth0
Oct 2 22:03:01 daniel charon: 00[KNL] 31.18.87.101
Oct 2 22:03:01 daniel charon: 00[KNL] fe80::92fb:a6ff:fe8a:8ca6
Oct 2 22:03:01 daniel charon: 00[KNL] dummy0
Oct 2 22:03:01 daniel charon: 00[KNL] 192.168.2.3
Oct 2 22:03:01 daniel charon: 00[KNL] fe80::6c81:aaff:fe9b:6121
Oct 2 22:03:01 daniel charon: 00[CFG] sql plugin: database URI not set
Oct 2 22:03:01 daniel charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
Oct 2 22:03:01 daniel charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Oct 2 22:03:01 daniel charon: 00[CFG] eap-simaka-sql database URI missing
Oct 2 22:03:01 daniel charon: 00[CFG] loaded 0 RADIUS server configurations
Oct 2 22:03:01 daniel charon: 00[TNC] MAP server certificate not defined
Oct 2 22:03:01 daniel charon: 00[CFG] missing PDP server name, PDP disabled
Oct 2 22:03:01 daniel charon: 00[CFG] mediation database URI not defined, skipped
Oct 2 22:03:01 daniel charon: 00[LIB] plugin 'medsrv': failed to load - medsrv_plugin_create returned NULL
Oct 2 22:03:01 daniel charon: 00[CFG] mediation client database URI not defined, skipped
Oct 2 22:03:01 daniel charon: 00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL
Oct 2 22:03:01 daniel charon: 00[CFG] HA config misses local/remote address
Oct 2 22:03:01 daniel charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
Oct 2 22:03:01 daniel charon: 00[CFG] coupling file path unspecified
Oct 2 22:03:01 daniel charon: 00[LIB] plugin 'coupling': failed to load - coupling_plugin_create returned NULL
Oct 2 22:03:01 daniel charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Oct 2 22:03:01 daniel charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Oct 2 22:03:01 daniel charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Oct 2 22:03:01 daniel charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Oct 2 22:03:01 daniel charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Oct 2 22:03:01 daniel charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Oct 2 22:03:01 daniel charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/danielKey.pem'
Oct 2 22:03:01 daniel charon: 00[TNC] loading IMCs from '/etc/tnc_config'
Oct 2 22:03:01 daniel charon: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
Oct 2 22:03:01 daniel charon: 00[TNC] TNC recommendation policy is 'default'
Oct 2 22:03:01 daniel charon: 00[TNC] loading IMVs from '/etc/tnc_config'
Oct 2 22:03:01 daniel charon: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
Oct 2 22:03:01 daniel charon: 00[DMN] loaded plugins: charon test-vectors curl soup ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default socket-raw socket-dynamic farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-ifmap tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist led radattr addrblock
Oct 2 22:03:01 daniel charon: 00[JOB] spawning 16 worker threads
Oct 2 22:03:01 daniel charon: 05[CFG] received stroke: add connection 'james'
Oct 2 22:03:01 daniel charon: 05[CFG] left nor right host is our side, assuming left=local
Oct 2 22:03:01 daniel charon: 05[CFG] loaded certificate "C=DE, CN=daniel.dyndns.org" from 'danielCert.pem'
Oct 2 22:03:01 daniel charon: 05[CFG] id '%any' not confirmed by certificate, defaulting to 'C=DE, CN=daniel.dyndns.org'
Oct 2 22:03:01 daniel charon: 05[CFG] loaded certificate "C=DE, CN=james" from 'jamesCert.pem'
Oct 2 22:03:01 daniel charon: 05[CFG] added configuration 'james'
Oct 2 22:03:01 daniel charon: 05[CFG] received stroke: initiate 'james'
Oct 2 22:03:01 daniel charon: 05[IKE] queueing IKE_VENDOR task
Oct 2 22:03:01 daniel charon: 05[IKE] queueing IKE_INIT task
Oct 2 22:03:01 daniel charon: 05[IKE] queueing IKE_NATD task
Oct 2 22:03:01 daniel charon: 05[IKE] queueing IKE_CERT_PRE task
Oct 2 22:03:01 daniel charon: 05[IKE] queueing IKE_AUTH task
Oct 2 22:03:01 daniel charon: 05[IKE] queueing IKE_CERT_POST task
Oct 2 22:03:01 daniel charon: 05[IKE] queueing IKE_CONFIG task
Oct 2 22:03:01 daniel charon: 05[IKE] queueing IKE_AUTH_LIFETIME task
Oct 2 22:03:01 daniel charon: 05[IKE] queueing IKE_MOBIKE task
Oct 2 22:03:01 daniel charon: 05[IKE] queueing IKE_ME task
Oct 2 22:03:01 daniel charon: 05[IKE] queueing CHILD_CREATE task
Oct 2 22:03:01 daniel charon: 05[IKE] activating new tasks
Oct 2 22:03:01 daniel charon: 05[IKE] activating IKE_VENDOR task
Oct 2 22:03:01 daniel charon: 05[IKE] activating IKE_INIT task
Oct 2 22:03:01 daniel charon: 05[IKE] activating IKE_NATD task
Oct 2 22:03:01 daniel charon: 05[IKE] activating IKE_CERT_PRE task
Oct 2 22:03:01 daniel charon: 05[IKE] activating IKE_ME task
Oct 2 22:03:01 daniel charon: 05[IKE] activating IKE_AUTH task
Oct 2 22:03:01 daniel charon: 05[IKE] activating IKE_CERT_POST task
Oct 2 22:03:01 daniel charon: 05[IKE] activating IKE_CONFIG task
Oct 2 22:03:01 daniel charon: 05[IKE] activating CHILD_CREATE task
Oct 2 22:03:01 daniel charon: 05[IKE] activating IKE_AUTH_LIFETIME task
Oct 2 22:03:01 daniel charon: 05[IKE] activating IKE_MOBIKE task
Oct 2 22:03:01 daniel charon: 05[IKE] initiating IKE_SA james[1] to 89.246.221.197
Oct 2 22:03:01 daniel charon: 05[IKE] initiating IKE_SA james[1] to 89.246.221.197
Oct 2 22:03:01 daniel charon: 05[IKE] IKE_SA james[1] state change: CREATED => CONNECTING
Oct 2 22:03:01 daniel charon: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 2 22:03:01 daniel charon: 05[NET] sending packet: from 31.18.87.101[500] to 89.246.221.197[500]
Oct 2 22:03:05 daniel charon: 01[IKE] retransmit 1 of request with message ID 0
Oct 2 22:03:05 daniel charon: 01[NET] sending packet: from 31.18.87.101[500] to 89.246.221.197[500]
Oct 2 22:03:07 daniel charon: 04[NET] received packet: from 89.246.221.197[500] to 31.18.87.101[500]
Oct 2 22:03:07 daniel charon: 04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 2 22:03:07 daniel charon: 04[IKE] 89.246.221.197 is initiating an IKE_SA
Oct 2 22:03:07 daniel charon: 04[IKE] 89.246.221.197 is initiating an IKE_SA
Oct 2 22:03:07 daniel charon: 04[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Oct 2 22:03:07 daniel charon: 04[IKE] sending cert request for "C=DE, CN=daniel.dyndns.org"
Oct 2 22:03:07 daniel charon: 04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 2 22:03:07 daniel charon: 04[NET] sending packet: from 31.18.87.101[500] to 89.246.221.197[500]
Oct 2 22:03:10 daniel charon: 03[NET] received packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct 2 22:03:10 daniel charon: 03[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct 2 22:03:10 daniel charon: 03[IKE] received cert request for "C=DE, CN=daniel.dyndns.org"
Oct 2 22:03:10 daniel charon: 03[CFG] looking for peer configs matching 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.221.197[james.dyndns.org]
Oct 2 22:03:10 daniel charon: 03[CFG] selected peer config 'james'
Oct 2 22:03:10 daniel charon: 03[CFG] using trusted certificate "C=DE, CN=james"
Oct 2 22:03:10 daniel charon: 03[IKE] authentication of 'james.dyndns.org' with RSA signature successful
Oct 2 22:03:10 daniel charon: 03[IKE] peer supports MOBIKE
Oct 2 22:03:10 daniel charon: 03[IKE] got additional MOBIKE peer address: 172.16.16.250
Oct 2 22:03:10 daniel charon: 03[IKE] authentication of 'C=DE, CN=daniel.dyndns.org' (myself) with RSA signature successful
Oct 2 22:03:10 daniel charon: 03[IKE] IKE_SA james[2] established between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.221.197[james.dyndns.org]
Oct 2 22:03:10 daniel charon: 03[IKE] IKE_SA james[2] established between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.221.197[james.dyndns.org]
Oct 2 22:03:10 daniel charon: 03[IKE] IKE_SA james[2] state change: CONNECTING => ESTABLISHED
Oct 2 22:03:10 daniel charon: 03[IKE] scheduling reauthentication in 10028s
Oct 2 22:03:10 daniel charon: 03[IKE] maximum IKE_SA lifetime 10568s
Oct 2 22:03:10 daniel charon: 03[IKE] activating new tasks
Oct 2 22:03:10 daniel charon: 03[IKE] nothing to initiate
Oct 2 22:03:10 daniel charon: 03[IKE] CHILD_SA james{1} established with SPIs ce306dd9_i cc9bf8e0_o and TS 192.168.2.0/24 === 172.16.16.0/24
Oct 2 22:03:10 daniel charon: 03[IKE] CHILD_SA james{1} established with SPIs ce306dd9_i cc9bf8e0_o and TS 192.168.2.0/24 === 172.16.16.0/24
Oct 2 22:03:10 daniel charon: 03[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct 2 22:03:10 daniel charon: 03[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct 2 22:03:12 daniel charon: 02[IKE] retransmit 2 of request with message ID 0
Oct 2 22:03:12 daniel charon: 02[NET] sending packet: from 31.18.87.101[500] to 89.246.221.197[500]
Oct 2 22:03:15 daniel charon: 05[NET] received packet: from 89.246.221.197[500] to 31.18.87.101[500]
Oct 2 22:03:15 daniel charon: 05[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 2 22:03:15 daniel charon: 05[IKE] received cert request for "C=DE, CN=daniel.dyndns.org"
Oct 2 22:03:15 daniel charon: 05[IKE] reinitiating already active tasks
Oct 2 22:03:15 daniel charon: 05[IKE] IKE_CERT_PRE task
Oct 2 22:03:15 daniel charon: 05[IKE] IKE_AUTH task
Oct 2 22:03:15 daniel charon: 05[IKE] sending cert request for "C=DE, CN=daniel.dyndns.org"
Oct 2 22:03:15 daniel charon: 05[IKE] authentication of 'C=DE, CN=daniel.dyndns.org' (myself) with RSA signature successful
Oct 2 22:03:15 daniel charon: 05[IKE] establishing CHILD_SA james
Oct 2 22:03:15 daniel charon: 05[IKE] establishing CHILD_SA james
Oct 2 22:03:15 daniel charon: 05[ENC] generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct 2 22:03:15 daniel charon: 05[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct 2 22:03:16 daniel charon: 01[NET] received packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct 2 22:03:16 daniel charon: 01[ENC] parsed INFORMATIONAL request 2 [ D ]
Oct 2 22:03:16 daniel charon: 01[IKE] received DELETE for IKE_SA james[2]
Oct 2 22:03:16 daniel charon: 01[IKE] deleting IKE_SA james[2] between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.221.197[james.dyndns.org]
Oct 2 22:03:16 daniel charon: 01[IKE] deleting IKE_SA james[2] between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.221.197[james.dyndns.org]
Oct 2 22:03:16 daniel charon: 01[IKE] IKE_SA james[2] state change: ESTABLISHED => DELETING
Oct 2 22:03:16 daniel charon: 01[IKE] IKE_SA deleted
Oct 2 22:03:16 daniel charon: 01[IKE] IKE_SA deleted
Oct 2 22:03:16 daniel charon: 01[ENC] generating INFORMATIONAL response 2 [ ]
Oct 2 22:03:16 daniel charon: 01[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct 2 22:03:16 daniel charon: 01[IKE] IKE_SA james[2] state change: DELETING => DESTROYING
Oct 2 22:03:16 daniel charon: 04[NET] received packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct 2 22:03:16 daniel charon: 04[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct 2 22:03:16 daniel charon: 04[CFG] using trusted certificate "C=DE, CN=james"
Oct 2 22:03:16 daniel charon: 04[IKE] authentication of 'james.dyndns.org' with RSA signature successful
Oct 2 22:03:16 daniel charon: 04[IKE] IKE_SA james[1] established between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.221.197[james.dyndns.org]
Oct 2 22:03:16 daniel charon: 04[IKE] IKE_SA james[1] established between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.221.197[james.dyndns.org]
Oct 2 22:03:16 daniel charon: 04[IKE] IKE_SA james[1] state change: CONNECTING => ESTABLISHED
Oct 2 22:03:16 daniel charon: 04[IKE] scheduling reauthentication in 9722s
Oct 2 22:03:16 daniel charon: 04[IKE] maximum IKE_SA lifetime 10262s
Oct 2 22:03:16 daniel charon: 04[IKE] delaying task initiation, IKE_AUTH exchange in progress
Oct 2 22:03:16 daniel charon: 04[IKE] CHILD_SA james{2} established with SPIs cdf735e9_i ccc77167_o and TS 192.168.2.0/24 === 172.16.16.0/24
Oct 2 22:03:16 daniel charon: 04[IKE] CHILD_SA james{2} established with SPIs cdf735e9_i ccc77167_o and TS 192.168.2.0/24 === 172.16.16.0/24
Oct 2 22:03:16 daniel charon: 04[IKE] received AUTH_LIFETIME of 9946s, scheduling reauthentication in 9406s
Oct 2 22:03:16 daniel charon: 04[IKE] peer supports MOBIKE
Oct 2 22:03:16 daniel charon: 04[IKE] got additional MOBIKE peer address: 172.16.16.250
Oct 2 22:03:16 daniel charon: 04[IKE] activating new tasks
Oct 2 22:03:16 daniel charon: 04[IKE] nothing to initiate
Oct 2 22:03:46 daniel charon: 04[IKE] activating new tasks
Oct 2 22:03:46 daniel charon: 04[IKE] nothing to initiate
Oct 2 22:04:15 daniel charon: 03[IKE] activating new tasks
Oct 2 22:04:15 daniel charon: 03[IKE] nothing to initiate
Oct 2 22:04:45 daniel charon: 01[IKE] activating new tasks
Oct 2 22:04:45 daniel charon: 01[IKE] nothing to initiate
Oct 2 22:05:14 daniel charon: 04[IKE] sending DPD request
Oct 2 22:05:14 daniel charon: 04[IKE] queueing IKE_DPD task
Oct 2 22:05:14 daniel charon: 04[IKE] activating new tasks
Oct 2 22:05:14 daniel charon: 04[IKE] activating IKE_DPD task
Oct 2 22:05:14 daniel charon: 04[ENC] generating INFORMATIONAL request 2 [ ]
Oct 2 22:05:14 daniel charon: 04[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct 2 22:05:18 daniel charon: 03[IKE] retransmit 1 of request with message ID 2
Oct 2 22:05:18 daniel charon: 03[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct 2 22:05:25 daniel charon: 05[IKE] retransmit 2 of request with message ID 2
Oct 2 22:05:25 daniel charon: 05[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct 2 22:05:38 daniel charon: 02[IKE] retransmit 3 of request with message ID 2
Oct 2 22:05:38 daniel charon: 02[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct 2 22:05:44 daniel charon: 01[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct 2 22:06:02 daniel charon: 04[IKE] retransmit 4 of request with message ID 2
Oct 2 22:06:02 daniel charon: 04[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct 2 22:06:14 daniel charon: 03[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct 2 22:06:44 daniel charon: 05[IKE] retransmit 5 of request with message ID 2
Oct 2 22:06:44 daniel charon: 05[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct 2 22:06:44 daniel charon: 02[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct 2 22:07:14 daniel charon: 02[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct 2 22:07:44 daniel charon: 04[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct 2 22:07:59 daniel charon: 01[IKE] giving up after 5 retransmits
Oct 2 22:07:59 daniel charon: 01[IKE] restarting CHILD_SA james
Oct 2 22:07:59 daniel charon: 01[IKE] queueing IKE_VENDOR task
Oct 2 22:07:59 daniel charon: 01[IKE] queueing IKE_INIT task
Oct 2 22:07:59 daniel charon: 01[IKE] queueing IKE_NATD task
Oct 2 22:07:59 daniel charon: 01[IKE] queueing IKE_CERT_PRE task
Oct 2 22:07:59 daniel charon: 01[IKE] queueing IKE_AUTH task
Oct 2 22:07:59 daniel charon: 01[IKE] queueing IKE_CERT_POST task
Oct 2 22:07:59 daniel charon: 01[IKE] queueing IKE_CONFIG task
Oct 2 22:07:59 daniel charon: 01[IKE] queueing IKE_AUTH_LIFETIME task
Oct 2 22:07:59 daniel charon: 01[IKE] queueing IKE_MOBIKE task
Oct 2 22:07:59 daniel charon: 01[IKE] queueing IKE_ME task
Oct 2 22:07:59 daniel charon: 01[IKE] queueing CHILD_CREATE task
Oct 2 22:07:59 daniel charon: 01[IKE] activating new tasks
Oct 2 22:07:59 daniel charon: 01[IKE] activating IKE_VENDOR task
Oct 2 22:07:59 daniel charon: 01[IKE] activating IKE_INIT task
Oct 2 22:07:59 daniel charon: 01[IKE] activating IKE_NATD task
Oct 2 22:07:59 daniel charon: 01[IKE] activating IKE_CERT_PRE task
Oct 2 22:07:59 daniel charon: 01[IKE] activating IKE_ME task
Oct 2 22:07:59 daniel charon: 01[IKE] activating IKE_AUTH task
Oct 2 22:07:59 daniel charon: 01[IKE] activating IKE_CERT_POST task
Oct 2 22:07:59 daniel charon: 01[IKE] activating IKE_CONFIG task
Oct 2 22:07:59 daniel charon: 01[IKE] activating CHILD_CREATE task
Oct 2 22:07:59 daniel charon: 01[IKE] activating IKE_AUTH_LIFETIME task
Oct 2 22:07:59 daniel charon: 01[IKE] activating IKE_MOBIKE task
Oct 2 22:07:59 daniel charon: 01[IKE] initiating IKE_SA james[3] to 89.246.221.197
Oct 2 22:07:59 daniel charon: 01[IKE] initiating IKE_SA james[3] to 89.246.221.197
Oct 2 22:07:59 daniel charon: 01[IKE] IKE_SA james[3] state change: CREATED => CONNECTING
Oct 2 22:07:59 daniel charon: 01[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 2 22:07:59 daniel charon: 01[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct 2 22:07:59 daniel charon: 01[IKE] IKE_SA james[1] state change: ESTABLISHED => DESTROYING
Oct 2 22:08:03 daniel charon: 05[IKE] retransmit 1 of request with message ID 0
Oct 2 22:08:03 daniel charon: 05[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct 2 22:08:10 daniel charon: 03[IKE] retransmit 2 of request with message ID 0
Oct 2 22:08:10 daniel charon: 03[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct 2 22:08:23 daniel charon: 04[IKE] retransmit 3 of request with message ID 0
Oct 2 22:08:23 daniel charon: 04[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct 2 22:08:47 daniel charon: 04[IKE] retransmit 4 of request with message ID 0
Oct 2 22:08:47 daniel charon: 04[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct 2 22:09:29 daniel charon: 05[IKE] retransmit 5 of request with message ID 0
Oct 2 22:09:29 daniel charon: 05[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct 2 22:10:44 daniel charon: 03[IKE] giving up after 5 retransmits
Oct 2 22:10:44 daniel charon: 03[IKE] peer not responding, trying again (2/0)
Oct 2 22:10:44 daniel charon: 03[IKE] IKE_SA james[3] state change: CONNECTING => CREATED
Oct 2 22:10:44 daniel charon: 03[IKE] queueing IKE_ME task
Oct 2 22:10:44 daniel charon: 03[IKE] activating new tasks
Oct 2 22:10:44 daniel charon: 03[IKE] activating IKE_VENDOR task
Oct 2 22:10:44 daniel charon: 03[IKE] activating IKE_INIT task
Oct 2 22:10:44 daniel charon: 03[IKE] activating IKE_NATD task
Oct 2 22:10:44 daniel charon: 03[IKE] activating IKE_CERT_PRE task
Oct 2 22:10:44 daniel charon: 03[IKE] activating IKE_ME task
Oct 2 22:10:44 daniel charon: 03[IKE] activating IKE_AUTH task
Oct 2 22:10:44 daniel charon: 03[IKE] activating IKE_CERT_POST task
Oct 2 22:10:44 daniel charon: 03[IKE] activating IKE_CONFIG task
Oct 2 22:10:44 daniel charon: 03[IKE] activating CHILD_CREATE task
Oct 2 22:10:44 daniel charon: 03[IKE] activating IKE_AUTH_LIFETIME task
Oct 2 22:10:44 daniel charon: 03[IKE] activating IKE_MOBIKE task
Oct 2 22:10:44 daniel charon: 03[IKE] initiating IKE_SA james[3] to 89.246.210.233
Oct 2 22:10:44 daniel charon: 03[IKE] initiating IKE_SA james[3] to 89.246.210.233
Oct 2 22:10:44 daniel charon: 03[IKE] IKE_SA james[3] state change: CREATED => CONNECTING
Oct 2 22:10:44 daniel charon: 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 2 22:10:44 daniel charon: 03[NET] sending packet: from 31.18.87.101[500] to 89.246.210.233[500]
Oct 2 22:10:46 daniel charon: 04[NET] received packet: from 89.246.210.233[500] to 31.18.87.101[500]
Oct 2 22:10:46 daniel charon: 04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 2 22:10:46 daniel charon: 04[IKE] 89.246.210.233 is initiating an IKE_SA
Oct 2 22:10:46 daniel charon: 04[IKE] 89.246.210.233 is initiating an IKE_SA
Oct 2 22:10:46 daniel charon: 04[IKE] IKE_SA (unnamed)[4] state change: CREATED => CONNECTING
Oct 2 22:10:46 daniel charon: 04[IKE] sending cert request for "C=DE, CN=daniel.dyndns.org"
Oct 2 22:10:46 daniel charon: 04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 2 22:10:46 daniel charon: 04[NET] sending packet: from 31.18.87.101[500] to 89.246.210.233[500]
Oct 2 22:10:48 daniel charon: 05[IKE] retransmit 1 of request with message ID 0
Oct 2 22:10:48 daniel charon: 05[NET] sending packet: from 31.18.87.101[500] to 89.246.210.233[500]
Oct 2 22:10:50 daniel charon: 02[NET] received packet: from 89.246.210.233[500] to 31.18.87.101[500]
Oct 2 22:10:50 daniel charon: 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 2 22:10:50 daniel charon: 02[IKE] received cert request for "C=DE, CN=daniel.dyndns.org"
Oct 2 22:10:50 daniel charon: 02[IKE] reinitiating already active tasks
Oct 2 22:10:50 daniel charon: 02[IKE] IKE_CERT_PRE task
Oct 2 22:10:50 daniel charon: 02[IKE] IKE_AUTH task
Oct 2 22:10:50 daniel charon: 02[IKE] sending cert request for "C=DE, CN=daniel.dyndns.org"
Oct 2 22:10:50 daniel charon: 02[IKE] authentication of 'C=DE, CN=daniel.dyndns.org' (myself) with RSA signature successful
Oct 2 22:10:50 daniel charon: 02[IKE] establishing CHILD_SA james
Oct 2 22:10:50 daniel charon: 02[IKE] establishing CHILD_SA james
Oct 2 22:10:50 daniel charon: 02[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct 2 22:10:50 daniel charon: 02[NET] sending packet: from 31.18.87.101[4500] to 89.246.210.233[4500]
Oct 2 22:10:50 daniel charon: 01[NET] received packet: from 89.246.210.233[4500] to 31.18.87.101[4500]
Oct 2 22:10:50 daniel charon: 01[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct 2 22:10:50 daniel charon: 01[IKE] received cert request for "C=DE, CN=daniel.dyndns.org"
Oct 2 22:10:50 daniel charon: 01[CFG] looking for peer configs matching 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.210.233[james.dyndns.org]
Oct 2 22:10:50 daniel charon: 01[CFG] selected peer config 'james'
Oct 2 22:10:50 daniel charon: 01[CFG] using trusted certificate "C=DE, CN=james"
Oct 2 22:10:50 daniel charon: 01[IKE] authentication of 'james.dyndns.org' with RSA signature successful
Oct 2 22:10:50 daniel charon: 01[IKE] peer supports MOBIKE
Oct 2 22:10:50 daniel charon: 01[IKE] got additional MOBIKE peer address: 172.16.16.250
Oct 2 22:10:50 daniel charon: 01[IKE] authentication of 'C=DE, CN=daniel.dyndns.org' (myself) with RSA signature successful
Oct 2 22:10:50 daniel charon: 01[IKE] IKE_SA james[4] established between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.210.233[james.dyndns.org]
Oct 2 22:10:50 daniel charon: 01[IKE] IKE_SA james[4] established between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.210.233[james.dyndns.org]
Oct 2 22:10:50 daniel charon: 01[IKE] IKE_SA james[4] state change: CONNECTING => ESTABLISHED
Oct 2 22:10:50 daniel charon: 01[IKE] scheduling reauthentication in 10164s
Oct 2 22:10:50 daniel charon: 01[IKE] maximum IKE_SA lifetime 10704s
Oct 2 22:10:50 daniel charon: 01[IKE] activating new tasks
Oct 2 22:10:50 daniel charon: 01[IKE] nothing to initiate
Oct 2 22:10:50 daniel charon: 01[IKE] CHILD_SA james{4} established with SPIs c25d54e9_i c5dcc107_o and TS 192.168.2.0/24 === 172.16.16.0/24
Oct 2 22:10:50 daniel charon: 01[IKE] CHILD_SA james{4} established with SPIs c25d54e9_i c5dcc107_o and TS 192.168.2.0/24 === 172.16.16.0/24
Oct 2 22:10:50 daniel charon: 01[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct 2 22:10:50 daniel charon: 01[NET] sending packet: from 31.18.87.101[4500] to 89.246.210.233[4500]
Oct 2 22:10:51 daniel charon: 03[NET] received packet: from 89.246.210.233[4500] to 31.18.87.101[4500]
Oct 2 22:10:51 daniel charon: 03[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct 2 22:10:51 daniel charon: 03[CFG] using trusted certificate "C=DE, CN=james"
Oct 2 22:10:51 daniel charon: 03[IKE] authentication of 'james.dyndns.org' with RSA signature successful
Oct 2 22:10:51 daniel charon: 03[IKE] IKE_SA james[3] established between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.210.233[james.dyndns.org]
Oct 2 22:10:51 daniel charon: 03[IKE] IKE_SA james[3] established between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.210.233[james.dyndns.org]
Oct 2 22:10:51 daniel charon: 03[IKE] IKE_SA james[3] state change: CONNECTING => ESTABLISHED
Oct 2 22:10:51 daniel charon: 03[IKE] scheduling reauthentication in 9742s
Oct 2 22:10:51 daniel charon: 03[IKE] maximum IKE_SA lifetime 10282s
Oct 2 22:10:51 daniel charon: 03[IKE] delaying task initiation, IKE_AUTH exchange in progress
Oct 2 22:10:51 daniel charon: 03[IKE] CHILD_SA james{3} established with SPIs cb39e522_i c20b0973_o and TS 192.168.2.0/24 === 172.16.16.0/24
Oct 2 22:10:51 daniel charon: 03[IKE] CHILD_SA james{3} established with SPIs cb39e522_i c20b0973_o and TS 192.168.2.0/24 === 172.16.16.0/24
Oct 2 22:10:51 daniel charon: 03[IKE] received AUTH_LIFETIME of 10086s, scheduling reauthentication in 9546s
Oct 2 22:10:51 daniel charon: 03[IKE] peer supports MOBIKE
Oct 2 22:10:51 daniel charon: 03[IKE] got additional MOBIKE peer address: 172.16.16.250
Oct 2 22:10:51 daniel charon: 03[IKE] activating new tasks
Oct 2 22:10:51 daniel charon: 03[IKE] nothing to initiate
Oct 2 22:11:20 daniel charon: 04[IKE] sending DPD request
Oct 2 22:11:20 daniel charon: 04[IKE] queueing IKE_DPD task
Oct 2 22:11:20 daniel charon: 04[IKE] activating new tasks
Oct 2 22:11:20 daniel charon: 04[IKE] activating IKE_DPD task
Oct 2 22:11:20 daniel charon: 04[ENC] generating INFORMATIONAL request 0 [ ]
Oct 2 22:11:20 daniel charon: 04[NET] sending packet: from 31.18.87.101[4500] to 89.246.210.233[4500]
Oct 2 22:11:21 daniel charon: 05[NET] received packet: from 89.246.210.233[4500] to 31.18.87.101[4500]
Oct 2 22:11:21 daniel charon: 05[ENC] parsed INFORMATIONAL response 0 [ ]
Oct 2 22:11:21 daniel charon: 05[IKE] activating new tasks
Oct 2 22:11:21 daniel charon: 05[IKE] nothing to initiate
Oct 2 22:11:21 daniel charon: 01[IKE] activating new tasks
Oct 2 22:11:21 daniel charon: 01[IKE] nothing to initiate
Oct 2 22:11:50 daniel charon: 05[IKE] activating new tasks
Oct 2 22:11:50 daniel charon: 05[IKE] nothing to initiate
Oct 2 22:11:51 daniel charon: 01[NET] received packet: from 89.246.210.233[4500] to 31.18.87.101[4500]
Oct 2 22:11:51 daniel charon: 01[ENC] parsed INFORMATIONAL request 2 [ ]
Oct 2 22:11:51 daniel charon: 01[ENC] generating INFORMATIONAL response 2 [ ]
Oct 2 22:11:51 daniel charon: 01[NET] sending packet: from 31.18.87.101[4500] to 89.246.210.233[4500]
Oct 2 22:11:51 daniel charon: 03[IKE] activating new tasks
Oct 2 22:11:51 daniel charon: 03[IKE] nothing to initiate
Oct 2 22:11:51 daniel charon: 02[IKE] activating new tasks
Oct 2 22:11:51 daniel charon: 02[IKE] nothing to initiate
-------------- next part --------------
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 2"
conn %default
keyingtries=%forever
conn james
leftcert=danielCert.pem
leftsendcert=never
leftsubnet=192.168.2.0/24
leftfirewall=yes
lefthostaccess=yes
right=%james.dyndns.org
rightcert=jamesCert.pem
rightid=@james.dyndns.org
rightsubnet=172.16.16.0/24
auto=start
dpdaction=restart
-------------- next part --------------
# strongswan.conf - strongSwan configuration file
charon {
# number of worker threads in charon
threads = 16
# retry DNS lookups every N seconds (0 means off)
retry_initiate_interval = 30
# send strongswan vendor ID?
# send_vendor_id = yes
plugins {
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost/database
}
}
# ...
}
pluto {
}
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}
More information about the Users
mailing list