[strongSwan] strongSwan 5.0.0 on OpenWrt: duplicate IKE SA and failed MOBIKE

Mirko Parthey mirko.parthey at informatik.tu-chemnitz.de
Wed Oct 3 01:04:20 CEST 2012


Hello all,

I tried to use strongSwan 5.0.0 between an OpenWrt and a Debian gateway:
* Debian: wheezy/sid
  Linux daniel 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64 GNU/Linux
* OpenWrt: Attitude Adjustment (12.09-beta), bcm47xx
  Linux james 3.3.8 #3 Mon Sep 3 16:16:20 UTC 2012 mips GNU/Linux

When the PPP link on OpenWrt was shut down and brought up again with a
new IP address, I noticed the following issues:

* Charon on OpenWrt was unable to perform the MOBIKE address update;
  eventually the IKE SA was destroyed and reestablished.

* Both peers initiated an IKE SA and CHILD SAs based on these.
  Why wasn't one of them deleted as a duplicate?
  This issue showed up in about 50% of my experiments.

Since the same setup was working fine between two Debian gateways,
I suspect OpenWrt or my configuration of it might be a part of the problem.

I would appreciate any help finding the cause.

Thanks,
Mirko
-------------- next part --------------
root at james:/tmp# ipsec start
root at james:/tmp# killall -HUP pppd
root at james:/tmp# ipsec statusall >> statusall
root at james:/tmp# ipsec statusall >> statusall
root at james:/tmp# ipsec statusall >> statusall

------------------------------------------------------------------------

root at daniel:/tmp# ipsec start
root at daniel:/tmp# ipsec statusall >> statusall
root at daniel:/tmp# ipsec statusall >> statusall
root at daniel:/tmp# ipsec statusall >> statusall

------------------------------------------------------------------------
root at james:~# ip monitor addr
Deleted 21: if21    inet 89.246.221.197 peer 62.214.64.210/32 scope global pppoe-wan
[...]
22: if22    inet 89.246.210.233 peer 62.214.64.210/32 scope global pppoe-wan

------------------------------------------------------------------------

root at james:~# tcpdump -i pppoe-wan -n udp port 500 or 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pppoe-wan, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
22:10:44.858618 IP 31.18.87.101.500 > 89.246.210.233.500: isakmp: parent_sa ikev2_init[I]
22:10:46.285666 IP 89.246.210.233.500 > 31.18.87.101.500: isakmp: parent_sa ikev2_init[I]
22:10:46.354246 IP 31.18.87.101.500 > 89.246.210.233.500: isakmp: parent_sa ikev2_init[R]
22:10:48.859944 IP 31.18.87.101.500 > 89.246.210.233.500: isakmp: parent_sa ikev2_init[I]
22:10:50.260335 IP 89.246.210.233.500 > 31.18.87.101.500: isakmp: parent_sa ikev2_init[R]
22:10:50.313288 IP 31.18.87.101.4500 > 89.246.210.233.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
22:10:50.661718 IP 89.246.210.233.4500 > 31.18.87.101.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
22:10:51.009554 IP 31.18.87.101.4500 > 89.246.210.233.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[R]
22:10:51.246922 IP 89.246.210.233.4500 > 31.18.87.101.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[R]
^C
9 packets captured
9 packets received by filter
0 packets dropped by kernel
------------------------------------------------------------------------
-------------- next part --------------
Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.3.8, mips):
  uptime: 3 minutes, since Oct 02 22:03:06 2012
  malloc: sbrk 135168, mmap 0, used 106208, free 28960
  worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 7
  loaded plugins: charon aes sha1 random nonce x509 pubkey pkcs1 pem gcrypt gmp xcbc hmac kernel-netlink socket-default stroke updown
Listening IP addresses:
  172.16.16.250
  89.246.210.233
Connections:
      daniel:  %any...%daniel.dyndns.org  IKEv1/2, dpddelay=30s
      daniel:   local:  [james.dyndns.org] uses public key authentication
      daniel:    cert:  "C=DE, CN=james"
      daniel:   remote: [C=DE, CN=daniel.dyndns.org] uses public key authentication
      daniel:    cert:  "C=DE, CN=daniel.dyndns.org"
      daniel:   child:  172.16.16.0/24 === 192.168.2.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
      daniel[2]: ESTABLISHED 3 minutes ago, 89.246.221.197[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
      daniel[2]: IKEv2 SPIs: 659745c7cfb41501_i 7392ca9871227e21_r*, public key reauthentication in 2 hours
      daniel[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
      daniel[2]: Tasks queued: IKE_MOBIKE 
      daniel[2]: Tasks active: IKE_DPD 
      daniel{2}:  INSTALLED, TUNNEL, ESP SPIs: ccc77167_i cdf735e9_o
      daniel{2}:  AES_CBC_128/HMAC_SHA1_96, 339604 bytes_i (114s ago), 36260 bytes_o (115s ago), rekeying in 40 minutes
      daniel{2}:   172.16.16.0/24 === 192.168.2.0/24 

------------------------------------------------------------------------------------------------------------------------------------------------------

Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.3.8, mips):
  uptime: 5 minutes, since Oct 02 22:03:05 2012
  malloc: sbrk 135168, mmap 0, used 98168, free 37000
  worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 6
  loaded plugins: charon aes sha1 random nonce x509 pubkey pkcs1 pem gcrypt gmp xcbc hmac kernel-netlink socket-default stroke updown
Listening IP addresses:
  172.16.16.250
  89.246.210.233
Connections:
      daniel:  %any...%daniel.dyndns.org  IKEv1/2, dpddelay=30s
      daniel:   local:  [james.dyndns.org] uses public key authentication
      daniel:    cert:  "C=DE, CN=james"
      daniel:   remote: [C=DE, CN=daniel.dyndns.org] uses public key authentication
      daniel:    cert:  "C=DE, CN=daniel.dyndns.org"
      daniel:   child:  172.16.16.0/24 === 192.168.2.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
      daniel[3]: CONNECTING, 89.246.221.197[%any]...31.18.87.101[%any]
      daniel[3]: IKEv2 SPIs: a624cd4c766d6d24_i* 0000000000000000_r
      daniel[3]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE 

------------------------------------------------------------------------------------------------------------------------------------------------------

Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.3.8, mips):
  uptime: 8 minutes, since Oct 02 22:03:05 2012
  malloc: sbrk 143360, mmap 0, used 118856, free 24504
  worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 12
  loaded plugins: charon aes sha1 random nonce x509 pubkey pkcs1 pem gcrypt gmp xcbc hmac kernel-netlink socket-default stroke updown
Listening IP addresses:
  172.16.16.250
  89.246.210.233
Connections:
      daniel:  %any...%daniel.dyndns.org  IKEv1/2, dpddelay=30s
      daniel:   local:  [james.dyndns.org] uses public key authentication
      daniel:    cert:  "C=DE, CN=james"
      daniel:   remote: [C=DE, CN=daniel.dyndns.org] uses public key authentication
      daniel:    cert:  "C=DE, CN=daniel.dyndns.org"
      daniel:   child:  172.16.16.0/24 === 192.168.2.0/24 TUNNEL, dpdaction=restart
Security Associations (2 up, 0 connecting):
      daniel[4]: ESTABLISHED 37 seconds ago, 89.246.210.233[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
      daniel[4]: IKEv2 SPIs: bae31fa7f9faebe9_i 398f00e2dafe114c_r*, public key reauthentication in 2 hours
      daniel[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
      daniel{4}:  INSTALLED, TUNNEL, ESP SPIs: c20b0973_i cb39e522_o
      daniel{4}:  AES_CBC_128/HMAC_SHA1_96, 95172 bytes_i (0s ago), 13636 bytes_o (0s ago), rekeying in 41 minutes
      daniel{4}:   172.16.16.0/24 === 192.168.2.0/24 
      daniel[3]: ESTABLISHED 37 seconds ago, 89.246.210.233[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
      daniel[3]: IKEv2 SPIs: a624cd4c766d6d24_i* 83b216b0e29421cd_r, public key reauthentication in 2 hours
      daniel[3]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
      daniel{3}:  INSTALLED, TUNNEL, ESP SPIs: c5dcc107_i c25d54e9_o
      daniel{3}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 41 minutes
      daniel{3}:   172.16.16.0/24 === 192.168.2.0/24 

------------------------------------------------------------------------------------------------------------------------------------------------------

-------------- next part --------------
Oct  2 22:03:05 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux 3.3.8, mips)
Oct  2 22:03:05 00[LIB] plugin 'test-vectors' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'curl' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'ldap' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'mysql' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'sqlite' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'pkcs11' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'des' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'blowfish' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'sha2' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'md4' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'md5' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'revocation' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'constraints' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'pkcs8' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'pgp' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'dnskey' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'openssl' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'af-alg' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'fips-prf' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'agent' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'cmac' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'ctr' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'ccm' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'gcm' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'attr' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'attr-sql' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'load-tester' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'kernel-pfkey' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'kernel-klips' failed to load: File not found
Oct  2 22:03:05 00[KNL] listening on interfaces:
Oct  2 22:03:05 00[KNL]   eth0
Oct  2 22:03:05 00[KNL]   eth1
Oct  2 22:03:05 00[KNL]     fe80::224:8cff:fe54:eeca
Oct  2 22:03:05 00[KNL]   ifb0
Oct  2 22:03:05 00[KNL]     fe80::38a7:ceff:feb8:f4d6
Oct  2 22:03:05 00[KNL]   br-lan
Oct  2 22:03:05 00[KNL]     172.16.16.250
Oct  2 22:03:05 00[KNL]     fe80::224:8cff:fe54:eeca
Oct  2 22:03:05 00[KNL]   wlan0
Oct  2 22:03:05 00[KNL]   pppoe-wan
Oct  2 22:03:05 00[KNL]     89.246.221.197
Oct  2 22:03:05 00[LIB] plugin 'resolve' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'socket-raw' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'socket-dynamic' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'farp' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'smp' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'sql' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'eap-identity' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'eap-md5' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'eap-mschapv2' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'xauth-generic' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'xauth-eap' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'dhcp' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'ha' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'whitelist' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'led' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'duplicheck' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'coupling' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'uci' failed to load: File not found
Oct  2 22:03:05 00[LIB] plugin 'addrblock' failed to load: File not found
Oct  2 22:03:05 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Oct  2 22:03:05 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Oct  2 22:03:05 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Oct  2 22:03:05 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Oct  2 22:03:05 00[CFG] loading crls from '/etc/ipsec.d/crls'
Oct  2 22:03:05 00[CFG] loading secrets from '/etc/ipsec.secrets'
Oct  2 22:03:05 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/jamesKey.pem'
Oct  2 22:03:05 00[DMN] loaded plugins: charon aes sha1 random nonce x509 pubkey pkcs1 pem gcrypt gmp xcbc hmac kernel-netlink socket-default stroke updown
Oct  2 22:03:05 00[JOB] spawning 16 worker threads
Oct  2 22:03:05 02[CFG] received stroke: add connection 'daniel'
Oct  2 22:03:06 02[CFG] left nor right host is our side, assuming left=local
Oct  2 22:03:06 02[CFG]   loaded certificate "C=DE, CN=james" from 'jamesCert.pem'
Oct  2 22:03:06 02[CFG]   loaded certificate "C=DE, CN=daniel.dyndns.org" from 'danielCert.pem'
Oct  2 22:03:06 02[CFG]   id 'daniel.dyndns.org' not confirmed by certificate, defaulting to 'C=DE, CN=daniel.dyndns.org'
Oct  2 22:03:06 02[CFG] added configuration 'daniel'
Oct  2 22:03:06 10[CFG] received stroke: initiate 'daniel'
Oct  2 22:03:06 10[IKE] queueing IKE_VENDOR task
Oct  2 22:03:06 10[IKE] queueing IKE_INIT task
Oct  2 22:03:06 10[IKE] queueing IKE_NATD task
Oct  2 22:03:06 10[IKE] queueing IKE_CERT_PRE task
Oct  2 22:03:06 10[IKE] queueing IKE_AUTH task
Oct  2 22:03:06 10[IKE] queueing IKE_CERT_POST task
Oct  2 22:03:06 10[IKE] queueing IKE_CONFIG task
Oct  2 22:03:06 10[IKE] queueing IKE_AUTH_LIFETIME task
Oct  2 22:03:06 10[IKE] queueing IKE_MOBIKE task
Oct  2 22:03:06 10[IKE] queueing CHILD_CREATE task
Oct  2 22:03:06 10[IKE] activating new tasks
Oct  2 22:03:06 10[IKE]   activating IKE_VENDOR task
Oct  2 22:03:06 10[IKE]   activating IKE_INIT task
Oct  2 22:03:06 10[IKE]   activating IKE_NATD task
Oct  2 22:03:06 10[IKE]   activating IKE_CERT_PRE task
Oct  2 22:03:06 10[IKE]   activating IKE_AUTH task
Oct  2 22:03:06 10[IKE]   activating IKE_CERT_POST task
Oct  2 22:03:06 10[IKE]   activating IKE_CONFIG task
Oct  2 22:03:06 10[IKE]   activating CHILD_CREATE task
Oct  2 22:03:06 10[IKE]   activating IKE_AUTH_LIFETIME task
Oct  2 22:03:06 10[IKE]   activating IKE_MOBIKE task
Oct  2 22:03:06 10[IKE] initiating IKE_SA daniel[1] to 31.18.87.101
Oct  2 22:03:06 10[IKE] IKE_SA daniel[1] state change: CREATED => CONNECTING
Oct  2 22:03:07 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct  2 22:03:07 10[NET] sending packet: from 89.246.221.197[500] to 31.18.87.101[500]
Oct  2 22:03:07 12[NET] received packet: from 31.18.87.101[500] to 89.246.221.197[500]
Oct  2 22:03:07 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct  2 22:03:09 12[IKE] received cert request for "C=DE, CN=daniel.dyndns.org"
Oct  2 22:03:09 12[IKE] reinitiating already active tasks
Oct  2 22:03:09 12[IKE]   IKE_CERT_PRE task
Oct  2 22:03:09 12[IKE]   IKE_AUTH task
Oct  2 22:03:09 12[IKE] sending cert request for "C=DE, CN=daniel.dyndns.org"
Oct  2 22:03:10 12[IKE] authentication of 'james.dyndns.org' (myself) with RSA signature successful
Oct  2 22:03:10 12[IKE] establishing CHILD_SA daniel
Oct  2 22:03:10 12[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct  2 22:03:10 12[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct  2 22:03:10 14[NET] received packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct  2 22:03:10 14[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct  2 22:03:10 14[CFG]   using trusted certificate "C=DE, CN=daniel.dyndns.org"
Oct  2 22:03:10 14[IKE] authentication of 'C=DE, CN=daniel.dyndns.org' with RSA signature successful
Oct  2 22:03:10 14[IKE] IKE_SA daniel[1] established between 89.246.221.197[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
Oct  2 22:03:10 14[IKE] IKE_SA daniel[1] state change: CONNECTING => ESTABLISHED
Oct  2 22:03:10 14[IKE] scheduling reauthentication in 10164s
Oct  2 22:03:10 14[IKE] maximum IKE_SA lifetime 10704s
Oct  2 22:03:10 14[IKE] delaying task initiation, IKE_AUTH exchange in progress
Oct  2 22:03:10 14[IKE] CHILD_SA daniel{1} established with SPIs cc9bf8e0_i ce306dd9_o and TS 172.16.16.0/24 === 192.168.2.0/24 
Oct  2 22:03:10 14[IKE] received AUTH_LIFETIME of 10028s, scheduling reauthentication in 9488s
Oct  2 22:03:10 14[IKE] peer supports MOBIKE
Oct  2 22:03:10 14[IKE] got additional MOBIKE peer address: 192.168.2.3
Oct  2 22:03:10 14[IKE] activating new tasks
Oct  2 22:03:10 14[IKE] nothing to initiate
Oct  2 22:03:12 16[NET] received packet: from 31.18.87.101[500] to 89.246.221.197[500]
Oct  2 22:03:12 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct  2 22:03:12 16[IKE] 31.18.87.101 is initiating an IKE_SA
Oct  2 22:03:12 16[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Oct  2 22:03:15 16[IKE] sending cert request for "C=DE, CN=daniel.dyndns.org"
Oct  2 22:03:15 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct  2 22:03:15 16[NET] sending packet: from 89.246.221.197[500] to 31.18.87.101[500]
Oct  2 22:03:15 13[NET] received packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct  2 22:03:15 13[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct  2 22:03:15 13[IKE] received cert request for "C=DE, CN=daniel.dyndns.org"
Oct  2 22:03:15 13[CFG] looking for peer configs matching 89.246.221.197[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
Oct  2 22:03:15 13[CFG] selected peer config 'daniel'
Oct  2 22:03:15 13[CFG]   using trusted certificate "C=DE, CN=daniel.dyndns.org"
Oct  2 22:03:15 13[IKE] authentication of 'C=DE, CN=daniel.dyndns.org' with RSA signature successful
Oct  2 22:03:15 13[IKE] peer supports MOBIKE
Oct  2 22:03:15 13[IKE] got additional MOBIKE peer address: 192.168.2.3
Oct  2 22:03:16 13[IKE] authentication of 'james.dyndns.org' (myself) with RSA signature successful
Oct  2 22:03:16 13[IKE] deleting duplicate IKE_SA for peer 'C=DE, CN=daniel.dyndns.org' due to uniqueness policy
Oct  2 22:03:16 13[IKE] queueing IKE_DELETE task
Oct  2 22:03:16 13[IKE] activating new tasks
Oct  2 22:03:16 13[IKE]   activating IKE_DELETE task
Oct  2 22:03:16 13[IKE] deleting IKE_SA daniel[1] between 89.246.221.197[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
Oct  2 22:03:16 13[IKE] IKE_SA daniel[1] state change: ESTABLISHED => DELETING
Oct  2 22:03:16 13[IKE] sending DELETE for IKE_SA daniel[1]
Oct  2 22:03:16 13[ENC] generating INFORMATIONAL request 2 [ D ]
Oct  2 22:03:16 13[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct  2 22:03:16 13[IKE] IKE_SA daniel[2] established between 89.246.221.197[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
Oct  2 22:03:16 13[IKE] IKE_SA daniel[2] state change: CONNECTING => ESTABLISHED
Oct  2 22:03:16 13[IKE] scheduling reauthentication in 9946s
Oct  2 22:03:16 13[IKE] maximum IKE_SA lifetime 10486s
Oct  2 22:03:16 13[IKE] activating new tasks
Oct  2 22:03:16 13[IKE] nothing to initiate
Oct  2 22:03:16 13[IKE] CHILD_SA daniel{2} established with SPIs ccc77167_i cdf735e9_o and TS 172.16.16.0/24 === 192.168.2.0/24 
Oct  2 22:03:16 13[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct  2 22:03:16 13[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct  2 22:03:16 12[NET] received packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct  2 22:03:16 12[ENC] parsed INFORMATIONAL response 2 [ ]
Oct  2 22:03:16 12[IKE] IKE_SA deleted
Oct  2 22:03:16 12[IKE] IKE_SA daniel[1] state change: DELETING => DESTROYING
Oct  2 22:03:45 02[IKE] activating new tasks
Oct  2 22:03:45 02[IKE] nothing to initiate
Oct  2 22:04:15 16[IKE] activating new tasks
Oct  2 22:04:15 16[IKE] nothing to initiate
Oct  2 22:04:44 07[KNL] interface pppoe-wan deactivated
Oct  2 22:04:44 13[IKE] old path is not available anymore, try to find another
Oct  2 22:04:44 13[IKE] looking for a route to 31.18.87.101 ...
Oct  2 22:04:44 07[KNL] 89.246.221.197 disappeared from pppoe-wan
Oct  2 22:04:44 13[IKE] looking for a route to 192.168.2.3 ...
Oct  2 22:04:44 13[IKE] no route found to reach 31.18.87.101, MOBIKE update deferred
Oct  2 22:04:44 07[KNL] interface pppoe-wan deleted
Oct  2 22:04:45 09[IKE] old path is not available anymore, try to find another
Oct  2 22:04:45 09[IKE] looking for a route to 31.18.87.101 ...
Oct  2 22:04:45 09[IKE] looking for a route to 192.168.2.3 ...
Oct  2 22:04:45 09[IKE] no route found to reach 31.18.87.101, MOBIKE update deferred
Oct  2 22:04:45 14[IKE] activating new tasks
Oct  2 22:04:45 14[IKE] nothing to initiate
Oct  2 22:04:45 07[KNL] interface eth1 deactivated
Oct  2 22:04:45 07[KNL] fe80::224:8cff:fe54:eeca disappeared from eth1
Oct  2 22:04:45 11[IKE] old path is not available anymore, try to find another
Oct  2 22:04:45 11[IKE] looking for a route to 31.18.87.101 ...
Oct  2 22:04:45 11[IKE] looking for a route to 192.168.2.3 ...
Oct  2 22:04:45 11[IKE] no route found to reach 31.18.87.101, MOBIKE update deferred
Oct  2 22:05:14 02[IKE] sending DPD request
Oct  2 22:05:14 02[IKE] queueing IKE_DPD task
Oct  2 22:05:14 02[IKE] activating new tasks
Oct  2 22:05:14 02[IKE]   activating IKE_DPD task
Oct  2 22:05:14 02[ENC] generating INFORMATIONAL request 0 [ ]
Oct  2 22:05:14 02[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct  2 22:05:14 05[NET] error writing to socket: Invalid argument
Oct  2 22:05:18 16[IKE] retransmit 1 of request with message ID 0
Oct  2 22:05:18 16[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct  2 22:05:18 05[NET] error writing to socket: Invalid argument
Oct  2 22:05:25 12[IKE] retransmit 2 of request with message ID 0
Oct  2 22:05:25 12[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct  2 22:05:25 05[NET] error writing to socket: Invalid argument
Oct  2 22:05:30 07[KNL] interface eth1 activated
Oct  2 22:05:30 13[IKE] old path is not available anymore, try to find another
Oct  2 22:05:30 13[IKE] looking for a route to 31.18.87.101 ...
Oct  2 22:05:30 13[IKE] looking for a route to 192.168.2.3 ...
Oct  2 22:05:30 13[IKE] no route found to reach 31.18.87.101, MOBIKE update deferred
Oct  2 22:05:31 07[KNL] 89.246.210.233 appeared on pppoe-wan
Oct  2 22:05:31 07[KNL] 89.246.210.233 disappeared from pppoe-wan
Oct  2 22:05:31 07[KNL] 89.246.210.233 appeared on pppoe-wan
Oct  2 22:05:31 07[KNL] interface pppoe-wan activated
Oct  2 22:05:31 07[KNL] fe80::224:8cff:fe54:eeca appeared on eth1
Oct  2 22:05:31 10[IKE] old path is not available anymore, try to find another
Oct  2 22:05:31 10[IKE] looking for a route to 31.18.87.101 ...
Oct  2 22:05:31 10[IKE] looking for a route to 192.168.2.3 ...
Oct  2 22:05:31 10[IKE] no route found to reach 31.18.87.101, MOBIKE update deferred
Oct  2 22:05:31 02[IKE] old path is not available anymore, try to find another
Oct  2 22:05:31 02[IKE] looking for a route to 31.18.87.101 ...
Oct  2 22:05:31 02[IKE] sending address list update using MOBIKE, implicitly requesting an address change
Oct  2 22:05:31 02[IKE] queueing IKE_MOBIKE task
Oct  2 22:05:31 02[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct  2 22:05:38 12[IKE] retransmit 3 of request with message ID 0
Oct  2 22:05:38 12[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct  2 22:05:38 05[NET] error writing to socket: Invalid argument
Oct  2 22:05:44 15[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct  2 22:06:02 09[IKE] retransmit 4 of request with message ID 0
Oct  2 22:06:02 09[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct  2 22:06:02 05[NET] error writing to socket: Invalid argument
Oct  2 22:06:14 13[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct  2 22:06:44 02[IKE] retransmit 5 of request with message ID 0
Oct  2 22:06:44 02[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct  2 22:06:44 05[NET] error writing to socket: Invalid argument
Oct  2 22:06:44 12[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct  2 22:07:14 15[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct  2 22:07:44 09[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct  2 22:07:59 13[IKE] giving up after 5 retransmits
Oct  2 22:07:59 13[IKE] restarting CHILD_SA daniel
Oct  2 22:07:59 13[IKE] queueing IKE_VENDOR task
Oct  2 22:07:59 13[IKE] queueing IKE_INIT task
Oct  2 22:07:59 13[IKE] queueing IKE_NATD task
Oct  2 22:07:59 13[IKE] queueing IKE_CERT_PRE task
Oct  2 22:07:59 13[IKE] queueing IKE_AUTH task
Oct  2 22:07:59 13[IKE] queueing IKE_CERT_POST task
Oct  2 22:07:59 13[IKE] queueing IKE_CONFIG task
Oct  2 22:07:59 13[IKE] queueing IKE_AUTH_LIFETIME task
Oct  2 22:07:59 13[IKE] queueing IKE_MOBIKE task
Oct  2 22:07:59 13[IKE] queueing CHILD_CREATE task
Oct  2 22:07:59 13[IKE] activating new tasks
Oct  2 22:07:59 13[IKE]   activating IKE_VENDOR task
Oct  2 22:07:59 13[IKE]   activating IKE_INIT task
Oct  2 22:07:59 13[IKE]   activating IKE_NATD task
Oct  2 22:07:59 13[IKE]   activating IKE_CERT_PRE task
Oct  2 22:07:59 13[IKE]   activating IKE_AUTH task
Oct  2 22:07:59 13[IKE]   activating IKE_CERT_POST task
Oct  2 22:07:59 13[IKE]   activating IKE_CONFIG task
Oct  2 22:07:59 13[IKE]   activating CHILD_CREATE task
Oct  2 22:07:59 13[IKE]   activating IKE_AUTH_LIFETIME task
Oct  2 22:07:59 13[IKE]   activating IKE_MOBIKE task
Oct  2 22:07:59 13[IKE] initiating IKE_SA daniel[3] to 31.18.87.101
Oct  2 22:07:59 13[IKE] IKE_SA daniel[3] state change: CREATED => CONNECTING
Oct  2 22:08:01 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct  2 22:08:01 13[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct  2 22:08:01 05[NET] error writing to socket: Invalid argument
Oct  2 22:08:01 13[IKE] IKE_SA daniel[2] state change: ESTABLISHED => DESTROYING
Oct  2 22:08:05 11[IKE] retransmit 1 of request with message ID 0
Oct  2 22:08:05 11[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct  2 22:08:05 05[NET] error writing to socket: Invalid argument
Oct  2 22:08:12 14[IKE] retransmit 2 of request with message ID 0
Oct  2 22:08:12 14[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct  2 22:08:12 05[NET] error writing to socket: Invalid argument
Oct  2 22:08:25 10[IKE] retransmit 3 of request with message ID 0
Oct  2 22:08:25 10[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct  2 22:08:25 05[NET] error writing to socket: Invalid argument
Oct  2 22:08:48 02[IKE] retransmit 4 of request with message ID 0
Oct  2 22:08:48 02[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct  2 22:08:48 05[NET] error writing to socket: Invalid argument
Oct  2 22:09:30 09[IKE] retransmit 5 of request with message ID 0
Oct  2 22:09:30 09[NET] sending packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct  2 22:09:30 05[NET] error writing to socket: Invalid argument
Oct  2 22:10:44 14[NET] received packet: from 31.18.87.101[500] to 89.246.210.233[500]
Oct  2 22:10:44 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct  2 22:10:45 14[IKE] 31.18.87.101 is initiating an IKE_SA
Oct  2 22:10:45 14[IKE] IKE_SA (unnamed)[4] state change: CREATED => CONNECTING
Oct  2 22:10:46 16[IKE] giving up after 5 retransmits
Oct  2 22:10:46 16[IKE] peer not responding, trying again (2/0)
Oct  2 22:10:46 16[IKE] IKE_SA daniel[3] state change: CONNECTING => CREATED
Oct  2 22:10:46 16[IKE] activating new tasks
Oct  2 22:10:46 16[IKE]   activating IKE_VENDOR task
Oct  2 22:10:46 16[IKE]   activating IKE_INIT task
Oct  2 22:10:46 16[IKE]   activating IKE_NATD task
Oct  2 22:10:46 16[IKE]   activating IKE_CERT_PRE task
Oct  2 22:10:46 16[IKE]   activating IKE_AUTH task
Oct  2 22:10:46 16[IKE]   activating IKE_CERT_POST task
Oct  2 22:10:46 16[IKE]   activating IKE_CONFIG task
Oct  2 22:10:46 16[IKE]   activating CHILD_CREATE task
Oct  2 22:10:46 16[IKE]   activating IKE_AUTH_LIFETIME task
Oct  2 22:10:46 16[IKE]   activating IKE_MOBIKE task
Oct  2 22:10:46 16[IKE] initiating IKE_SA daniel[3] to 31.18.87.101
Oct  2 22:10:46 16[IKE] IKE_SA daniel[3] state change: CREATED => CONNECTING
Oct  2 22:10:46 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct  2 22:10:46 16[NET] sending packet: from 89.246.210.233[500] to 31.18.87.101[500]
Oct  2 22:10:46 10[NET] received packet: from 31.18.87.101[500] to 89.246.210.233[500]
Oct  2 22:10:46 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct  2 22:10:48 02[MGR] ignoring request with ID 0, already processing
Oct  2 22:10:49 10[IKE] received cert request for "C=DE, CN=daniel.dyndns.org"
Oct  2 22:10:49 10[IKE] reinitiating already active tasks
Oct  2 22:10:49 10[IKE]   IKE_CERT_PRE task
Oct  2 22:10:49 10[IKE]   IKE_AUTH task
Oct  2 22:10:49 10[IKE] sending cert request for "C=DE, CN=daniel.dyndns.org"
Oct  2 22:10:50 14[IKE] sending cert request for "C=DE, CN=daniel.dyndns.org"
Oct  2 22:10:50 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct  2 22:10:50 14[NET] sending packet: from 89.246.210.233[500] to 31.18.87.101[500]
Oct  2 22:10:50 12[NET] received packet: from 31.18.87.101[4500] to 89.246.210.233[4500]
Oct  2 22:10:50 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct  2 22:10:50 12[IKE] received cert request for "C=DE, CN=daniel.dyndns.org"
Oct  2 22:10:50 12[CFG] looking for peer configs matching 89.246.210.233[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
Oct  2 22:10:50 12[CFG] selected peer config 'daniel'
Oct  2 22:10:50 12[CFG]   using trusted certificate "C=DE, CN=daniel.dyndns.org"
Oct  2 22:10:50 10[IKE] authentication of 'james.dyndns.org' (myself) with RSA signature successful
Oct  2 22:10:50 10[IKE] establishing CHILD_SA daniel
Oct  2 22:10:50 12[IKE] authentication of 'C=DE, CN=daniel.dyndns.org' with RSA signature successful
Oct  2 22:10:50 12[IKE] peer supports MOBIKE
Oct  2 22:10:50 12[IKE] got additional MOBIKE peer address: 192.168.2.3
Oct  2 22:10:50 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct  2 22:10:50 10[NET] sending packet: from 89.246.210.233[4500] to 31.18.87.101[4500]
Oct  2 22:10:51 09[NET] received packet: from 31.18.87.101[4500] to 89.246.210.233[4500]
Oct  2 22:10:51 09[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct  2 22:10:51 09[CFG]   using trusted certificate "C=DE, CN=daniel.dyndns.org"
Oct  2 22:10:51 12[IKE] authentication of 'james.dyndns.org' (myself) with RSA signature successful
Oct  2 22:10:51 12[IKE] IKE_SA daniel[4] established between 89.246.210.233[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
Oct  2 22:10:51 09[IKE] authentication of 'C=DE, CN=daniel.dyndns.org' with RSA signature successful
Oct  2 22:10:51 09[IKE] IKE_SA daniel[3] established between 89.246.210.233[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
Oct  2 22:10:51 12[IKE] IKE_SA daniel[4] state change: CONNECTING => ESTABLISHED
Oct  2 22:10:51 12[IKE] scheduling reauthentication in 10086s
Oct  2 22:10:51 09[IKE] IKE_SA daniel[3] state change: CONNECTING => ESTABLISHED
Oct  2 22:10:51 12[IKE] maximum IKE_SA lifetime 10626s
Oct  2 22:10:51 12[IKE] activating new tasks
Oct  2 22:10:51 12[IKE] nothing to initiate
Oct  2 22:10:51 09[IKE] scheduling reauthentication in 9948s
Oct  2 22:10:51 09[IKE] maximum IKE_SA lifetime 10488s
Oct  2 22:10:51 09[IKE] delaying task initiation, IKE_AUTH exchange in progress
Oct  2 22:10:51 09[IKE] CHILD_SA daniel{3} established with SPIs c5dcc107_i c25d54e9_o and TS 172.16.16.0/24 === 192.168.2.0/24 
Oct  2 22:10:51 12[IKE] CHILD_SA daniel{4} established with SPIs c20b0973_i cb39e522_o and TS 172.16.16.0/24 === 192.168.2.0/24 
Oct  2 22:10:51 12[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct  2 22:10:51 12[NET] sending packet: from 89.246.210.233[4500] to 31.18.87.101[4500]
Oct  2 22:10:51 09[IKE] received AUTH_LIFETIME of 10163s, scheduling reauthentication in 9623s
Oct  2 22:10:51 09[IKE] peer supports MOBIKE
Oct  2 22:10:51 09[IKE] got additional MOBIKE peer address: 192.168.2.3
Oct  2 22:10:51 09[IKE] activating new tasks
Oct  2 22:10:51 09[IKE] nothing to initiate
Oct  2 22:11:20 16[IKE] activating new tasks
Oct  2 22:11:20 16[IKE] nothing to initiate
Oct  2 22:11:20 02[NET] received packet: from 31.18.87.101[4500] to 89.246.210.233[4500]
Oct  2 22:11:20 02[ENC] parsed INFORMATIONAL request 0 [ ]
Oct  2 22:11:20 02[ENC] generating INFORMATIONAL response 0 [ ]
Oct  2 22:11:20 02[NET] sending packet: from 89.246.210.233[4500] to 31.18.87.101[4500]
Oct  2 22:11:21 14[IKE] activating new tasks
Oct  2 22:11:21 14[IKE] nothing to initiate
Oct  2 22:11:50 11[IKE] activating new tasks
Oct  2 22:11:50 11[IKE] nothing to initiate
Oct  2 22:11:51 13[IKE] sending DPD request
Oct  2 22:11:51 13[IKE] queueing IKE_DPD task
Oct  2 22:11:51 13[IKE] activating new tasks
Oct  2 22:11:51 13[IKE]   activating IKE_DPD task
Oct  2 22:11:51 13[ENC] generating INFORMATIONAL request 2 [ ]
Oct  2 22:11:51 13[NET] sending packet: from 89.246.210.233[4500] to 31.18.87.101[4500]
Oct  2 22:11:51 16[NET] received packet: from 31.18.87.101[4500] to 89.246.210.233[4500]
Oct  2 22:11:51 16[ENC] parsed INFORMATIONAL response 2 [ ]
Oct  2 22:11:51 16[IKE] activating new tasks
Oct  2 22:11:51 16[IKE] nothing to initiate
-------------- next part --------------
# ipsec.conf - strongSwan IPsec configuration file

config setup
	#charondebug="ike 2"

conn %default
	keyingtries=%forever
	
conn daniel
	leftcert=jamesCert.pem
	leftsendcert=never
	leftid=@james.dyndns.org
	leftsubnet=172.16.16.0/24
	lefthostaccess=yes
	right=%daniel.dyndns.org
	rightcert=danielCert.pem
	rightsubnet=192.168.2.0/24
	dpdaction=restart
	auto=start
-------------- next part --------------
# strongswan.conf - strongSwan configuration file

charon {

	# number of worker threads in charon
	threads = 16

	# retry DNS lookups every N seconds (0 means off)
	retry_initiate_interval = 30

	# send strongswan vendor ID?
	# send_vendor_id = yes

	plugins {

		sql {
			# loglevel to log into sql database
			loglevel = -1

			# URI to the database
			# database = sqlite:///path/to/file.db
			# database = mysql://user:password@localhost/database
		}
	}

	# ...
	syslog {
	    daemon {
	    	default = 0
	    }
	    auth {
	    	default = 0
	    }
	}
	filelog {
	    /tmp/charon.log {
		# add a timestamp prefix
		time_format = %b %e %T
		# loggers to files also accept the append option to open files in
		# append mode at startup (default is yes)
		append = yes
		# the default loglevel for all daemon subsystems (defaults to 1).
		default = 1
		ike=2
		# flush each line to disk
		flush_line = yes
	    }
	}
}

pluto {

}

libstrongswan {

	#  set to no, the DH exponent size is optimized
	#  dh_exponent_ansi_x9_42 = no
}
-------------- next part --------------
Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.2.0-3-amd64, x86_64):
  uptime: 3 minutes, since Oct 02 22:03:01 2012
  malloc: sbrk 1581056, mmap 0, used 1449136, free 131920
  worker threads: 4 of 16 idle, 11/1/0/0 working, job queue: 0/0/0/0, scheduled: 7
  loaded plugins: charon test-vectors curl soup ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default socket-raw socket-dynamic farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-ifmap tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist led radattr addrblock
Listening IP addresses:
  31.18.87.101
  192.168.2.3
Connections:
       james:  %any...%james.dyndns.org  IKEv1/2, dpddelay=30s
       james:   local:  [C=DE, CN=daniel.dyndns.org] uses public key authentication
       james:    cert:  "C=DE, CN=daniel.dyndns.org"
       james:   remote: [james.dyndns.org] uses public key authentication
       james:    cert:  "C=DE, CN=james"
       james:   child:  192.168.2.0/24 === 172.16.16.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
       james[1]: ESTABLISHED 3 minutes ago, 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.221.197[james.dyndns.org]
       james[1]: IKEv2 SPIs: 659745c7cfb41501_i* 7392ca9871227e21_r, public key reauthentication in 2 hours
       james[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
       james[1]: Tasks active: IKE_DPD 
       james{2}:  INSTALLED, TUNNEL, ESP SPIs: cdf735e9_i ccc77167_o
       james{2}:  AES_CBC_128/HMAC_SHA1_96, 36092 bytes_i (128s ago), 339604 bytes_o (129s ago), rekeying in 44 minutes
       james{2}:   192.168.2.0/24 === 172.16.16.0/24 

------------------------------------------------------------------------------------------------------------------------------------------------------

Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.2.0-3-amd64, x86_64):
  uptime: 5 minutes, since Oct 02 22:03:01 2012
  malloc: sbrk 1581056, mmap 0, used 1410720, free 170336
  worker threads: 4 of 16 idle, 11/1/0/0 working, job queue: 0/0/0/0, scheduled: 6
  loaded plugins: charon test-vectors curl soup ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default socket-raw socket-dynamic farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-ifmap tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist led radattr addrblock
Listening IP addresses:
  31.18.87.101
  192.168.2.3
Connections:
       james:  %any...%james.dyndns.org  IKEv1/2, dpddelay=30s
       james:   local:  [C=DE, CN=daniel.dyndns.org] uses public key authentication
       james:    cert:  "C=DE, CN=daniel.dyndns.org"
       james:   remote: [james.dyndns.org] uses public key authentication
       james:    cert:  "C=DE, CN=james"
       james:   child:  192.168.2.0/24 === 172.16.16.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
       james[3]: CONNECTING, 31.18.87.101[%any]...89.246.221.197[%any]
       james[3]: IKEv2 SPIs: bae31fa7f9faebe9_i* 0000000000000000_r
       james[3]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE 

------------------------------------------------------------------------------------------------------------------------------------------------------

Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.2.0-3-amd64, x86_64):
  uptime: 8 minutes, since Oct 02 22:03:01 2012
  malloc: sbrk 1581056, mmap 0, used 1506992, free 74064
  worker threads: 4 of 16 idle, 11/1/0/0 working, job queue: 0/0/0/0, scheduled: 13
  loaded plugins: charon test-vectors curl soup ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default socket-raw socket-dynamic farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-ifmap tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist led radattr addrblock
Listening IP addresses:
  31.18.87.101
  192.168.2.3
Connections:
       james:  %any...%james.dyndns.org  IKEv1/2, dpddelay=30s
       james:   local:  [C=DE, CN=daniel.dyndns.org] uses public key authentication
       james:    cert:  "C=DE, CN=daniel.dyndns.org"
       james:   remote: [james.dyndns.org] uses public key authentication
       james:    cert:  "C=DE, CN=james"
       james:   child:  192.168.2.0/24 === 172.16.16.0/24 TUNNEL, dpdaction=restart
Security Associations (2 up, 0 connecting):
       james[4]: ESTABLISHED 31 seconds ago, 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.210.233[james.dyndns.org]
       james[4]: IKEv2 SPIs: a624cd4c766d6d24_i 83b216b0e29421cd_r*, public key reauthentication in 2 hours
       james[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
       james{4}:  INSTALLED, TUNNEL, ESP SPIs: c25d54e9_i c5dcc107_o
       james{4}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 42 minutes
       james{4}:   192.168.2.0/24 === 172.16.16.0/24 
       james[3]: ESTABLISHED 30 seconds ago, 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.210.233[james.dyndns.org]
       james[3]: IKEv2 SPIs: bae31fa7f9faebe9_i* 398f00e2dafe114c_r, public key reauthentication in 2 hours
       james[3]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
       james{3}:  INSTALLED, TUNNEL, ESP SPIs: cb39e522_i c20b0973_o
       james{3}:  AES_CBC_128/HMAC_SHA1_96, 11868 bytes_i (0s ago), 81032 bytes_o (0s ago), rekeying in 42 minutes
       james{3}:   192.168.2.0/24 === 172.16.16.0/24 

------------------------------------------------------------------------------------------------------------------------------------------------------
-------------- next part --------------
Oct  2 22:03:01 daniel charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux 3.2.0-3-amd64, x86_64)
Oct  2 22:03:01 daniel charon: 00[CFG] attr-sql plugin: database URI not set
Oct  2 22:03:01 daniel charon: 00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned NULL
Oct  2 22:03:01 daniel charon: 00[CFG] disabling load-tester plugin, not configured
Oct  2 22:03:01 daniel charon: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Oct  2 22:03:01 daniel charon: 00[KNL] listening on interfaces:
Oct  2 22:03:01 daniel charon: 00[KNL]   eth0
Oct  2 22:03:01 daniel charon: 00[KNL]     31.18.87.101
Oct  2 22:03:01 daniel charon: 00[KNL]     fe80::92fb:a6ff:fe8a:8ca6
Oct  2 22:03:01 daniel charon: 00[KNL]   dummy0
Oct  2 22:03:01 daniel charon: 00[KNL]     192.168.2.3
Oct  2 22:03:01 daniel charon: 00[KNL]     fe80::6c81:aaff:fe9b:6121
Oct  2 22:03:01 daniel charon: 00[CFG] sql plugin: database URI not set
Oct  2 22:03:01 daniel charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
Oct  2 22:03:01 daniel charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Oct  2 22:03:01 daniel charon: 00[CFG] eap-simaka-sql database URI missing
Oct  2 22:03:01 daniel charon: 00[CFG] loaded 0 RADIUS server configurations
Oct  2 22:03:01 daniel charon: 00[TNC] MAP server certificate not defined
Oct  2 22:03:01 daniel charon: 00[CFG] missing PDP server name, PDP disabled
Oct  2 22:03:01 daniel charon: 00[CFG] mediation database URI not defined, skipped
Oct  2 22:03:01 daniel charon: 00[LIB] plugin 'medsrv': failed to load - medsrv_plugin_create returned NULL
Oct  2 22:03:01 daniel charon: 00[CFG] mediation client database URI not defined, skipped
Oct  2 22:03:01 daniel charon: 00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL
Oct  2 22:03:01 daniel charon: 00[CFG] HA config misses local/remote address
Oct  2 22:03:01 daniel charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
Oct  2 22:03:01 daniel charon: 00[CFG] coupling file path unspecified
Oct  2 22:03:01 daniel charon: 00[LIB] plugin 'coupling': failed to load - coupling_plugin_create returned NULL
Oct  2 22:03:01 daniel charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Oct  2 22:03:01 daniel charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Oct  2 22:03:01 daniel charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Oct  2 22:03:01 daniel charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Oct  2 22:03:01 daniel charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Oct  2 22:03:01 daniel charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Oct  2 22:03:01 daniel charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/danielKey.pem'
Oct  2 22:03:01 daniel charon: 00[TNC] loading IMCs from '/etc/tnc_config'
Oct  2 22:03:01 daniel charon: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
Oct  2 22:03:01 daniel charon: 00[TNC] TNC recommendation policy is 'default'
Oct  2 22:03:01 daniel charon: 00[TNC] loading IMVs from '/etc/tnc_config'
Oct  2 22:03:01 daniel charon: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
Oct  2 22:03:01 daniel charon: 00[DMN] loaded plugins: charon test-vectors curl soup ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default socket-raw socket-dynamic farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-ifmap tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist led radattr addrblock
Oct  2 22:03:01 daniel charon: 00[JOB] spawning 16 worker threads
Oct  2 22:03:01 daniel charon: 05[CFG] received stroke: add connection 'james'
Oct  2 22:03:01 daniel charon: 05[CFG] left nor right host is our side, assuming left=local
Oct  2 22:03:01 daniel charon: 05[CFG]   loaded certificate "C=DE, CN=daniel.dyndns.org" from 'danielCert.pem'
Oct  2 22:03:01 daniel charon: 05[CFG]   id '%any' not confirmed by certificate, defaulting to 'C=DE, CN=daniel.dyndns.org'
Oct  2 22:03:01 daniel charon: 05[CFG]   loaded certificate "C=DE, CN=james" from 'jamesCert.pem'
Oct  2 22:03:01 daniel charon: 05[CFG] added configuration 'james'
Oct  2 22:03:01 daniel charon: 05[CFG] received stroke: initiate 'james'
Oct  2 22:03:01 daniel charon: 05[IKE] queueing IKE_VENDOR task
Oct  2 22:03:01 daniel charon: 05[IKE] queueing IKE_INIT task
Oct  2 22:03:01 daniel charon: 05[IKE] queueing IKE_NATD task
Oct  2 22:03:01 daniel charon: 05[IKE] queueing IKE_CERT_PRE task
Oct  2 22:03:01 daniel charon: 05[IKE] queueing IKE_AUTH task
Oct  2 22:03:01 daniel charon: 05[IKE] queueing IKE_CERT_POST task
Oct  2 22:03:01 daniel charon: 05[IKE] queueing IKE_CONFIG task
Oct  2 22:03:01 daniel charon: 05[IKE] queueing IKE_AUTH_LIFETIME task
Oct  2 22:03:01 daniel charon: 05[IKE] queueing IKE_MOBIKE task
Oct  2 22:03:01 daniel charon: 05[IKE] queueing IKE_ME task
Oct  2 22:03:01 daniel charon: 05[IKE] queueing CHILD_CREATE task
Oct  2 22:03:01 daniel charon: 05[IKE] activating new tasks
Oct  2 22:03:01 daniel charon: 05[IKE]   activating IKE_VENDOR task
Oct  2 22:03:01 daniel charon: 05[IKE]   activating IKE_INIT task
Oct  2 22:03:01 daniel charon: 05[IKE]   activating IKE_NATD task
Oct  2 22:03:01 daniel charon: 05[IKE]   activating IKE_CERT_PRE task
Oct  2 22:03:01 daniel charon: 05[IKE]   activating IKE_ME task
Oct  2 22:03:01 daniel charon: 05[IKE]   activating IKE_AUTH task
Oct  2 22:03:01 daniel charon: 05[IKE]   activating IKE_CERT_POST task
Oct  2 22:03:01 daniel charon: 05[IKE]   activating IKE_CONFIG task
Oct  2 22:03:01 daniel charon: 05[IKE]   activating CHILD_CREATE task
Oct  2 22:03:01 daniel charon: 05[IKE]   activating IKE_AUTH_LIFETIME task
Oct  2 22:03:01 daniel charon: 05[IKE]   activating IKE_MOBIKE task
Oct  2 22:03:01 daniel charon: 05[IKE] initiating IKE_SA james[1] to 89.246.221.197
Oct  2 22:03:01 daniel charon: 05[IKE] initiating IKE_SA james[1] to 89.246.221.197
Oct  2 22:03:01 daniel charon: 05[IKE] IKE_SA james[1] state change: CREATED => CONNECTING
Oct  2 22:03:01 daniel charon: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct  2 22:03:01 daniel charon: 05[NET] sending packet: from 31.18.87.101[500] to 89.246.221.197[500]
Oct  2 22:03:05 daniel charon: 01[IKE] retransmit 1 of request with message ID 0
Oct  2 22:03:05 daniel charon: 01[NET] sending packet: from 31.18.87.101[500] to 89.246.221.197[500]
Oct  2 22:03:07 daniel charon: 04[NET] received packet: from 89.246.221.197[500] to 31.18.87.101[500]
Oct  2 22:03:07 daniel charon: 04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct  2 22:03:07 daniel charon: 04[IKE] 89.246.221.197 is initiating an IKE_SA
Oct  2 22:03:07 daniel charon: 04[IKE] 89.246.221.197 is initiating an IKE_SA
Oct  2 22:03:07 daniel charon: 04[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Oct  2 22:03:07 daniel charon: 04[IKE] sending cert request for "C=DE, CN=daniel.dyndns.org"
Oct  2 22:03:07 daniel charon: 04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct  2 22:03:07 daniel charon: 04[NET] sending packet: from 31.18.87.101[500] to 89.246.221.197[500]
Oct  2 22:03:10 daniel charon: 03[NET] received packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct  2 22:03:10 daniel charon: 03[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct  2 22:03:10 daniel charon: 03[IKE] received cert request for "C=DE, CN=daniel.dyndns.org"
Oct  2 22:03:10 daniel charon: 03[CFG] looking for peer configs matching 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.221.197[james.dyndns.org]
Oct  2 22:03:10 daniel charon: 03[CFG] selected peer config 'james'
Oct  2 22:03:10 daniel charon: 03[CFG]   using trusted certificate "C=DE, CN=james"
Oct  2 22:03:10 daniel charon: 03[IKE] authentication of 'james.dyndns.org' with RSA signature successful
Oct  2 22:03:10 daniel charon: 03[IKE] peer supports MOBIKE
Oct  2 22:03:10 daniel charon: 03[IKE] got additional MOBIKE peer address: 172.16.16.250
Oct  2 22:03:10 daniel charon: 03[IKE] authentication of 'C=DE, CN=daniel.dyndns.org' (myself) with RSA signature successful
Oct  2 22:03:10 daniel charon: 03[IKE] IKE_SA james[2] established between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.221.197[james.dyndns.org]
Oct  2 22:03:10 daniel charon: 03[IKE] IKE_SA james[2] established between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.221.197[james.dyndns.org]
Oct  2 22:03:10 daniel charon: 03[IKE] IKE_SA james[2] state change: CONNECTING => ESTABLISHED
Oct  2 22:03:10 daniel charon: 03[IKE] scheduling reauthentication in 10028s
Oct  2 22:03:10 daniel charon: 03[IKE] maximum IKE_SA lifetime 10568s
Oct  2 22:03:10 daniel charon: 03[IKE] activating new tasks
Oct  2 22:03:10 daniel charon: 03[IKE] nothing to initiate
Oct  2 22:03:10 daniel charon: 03[IKE] CHILD_SA james{1} established with SPIs ce306dd9_i cc9bf8e0_o and TS 192.168.2.0/24 === 172.16.16.0/24 
Oct  2 22:03:10 daniel charon: 03[IKE] CHILD_SA james{1} established with SPIs ce306dd9_i cc9bf8e0_o and TS 192.168.2.0/24 === 172.16.16.0/24 
Oct  2 22:03:10 daniel charon: 03[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct  2 22:03:10 daniel charon: 03[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct  2 22:03:12 daniel charon: 02[IKE] retransmit 2 of request with message ID 0
Oct  2 22:03:12 daniel charon: 02[NET] sending packet: from 31.18.87.101[500] to 89.246.221.197[500]
Oct  2 22:03:15 daniel charon: 05[NET] received packet: from 89.246.221.197[500] to 31.18.87.101[500]
Oct  2 22:03:15 daniel charon: 05[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct  2 22:03:15 daniel charon: 05[IKE] received cert request for "C=DE, CN=daniel.dyndns.org"
Oct  2 22:03:15 daniel charon: 05[IKE] reinitiating already active tasks
Oct  2 22:03:15 daniel charon: 05[IKE]   IKE_CERT_PRE task
Oct  2 22:03:15 daniel charon: 05[IKE]   IKE_AUTH task
Oct  2 22:03:15 daniel charon: 05[IKE] sending cert request for "C=DE, CN=daniel.dyndns.org"
Oct  2 22:03:15 daniel charon: 05[IKE] authentication of 'C=DE, CN=daniel.dyndns.org' (myself) with RSA signature successful
Oct  2 22:03:15 daniel charon: 05[IKE] establishing CHILD_SA james
Oct  2 22:03:15 daniel charon: 05[IKE] establishing CHILD_SA james
Oct  2 22:03:15 daniel charon: 05[ENC] generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct  2 22:03:15 daniel charon: 05[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct  2 22:03:16 daniel charon: 01[NET] received packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct  2 22:03:16 daniel charon: 01[ENC] parsed INFORMATIONAL request 2 [ D ]
Oct  2 22:03:16 daniel charon: 01[IKE] received DELETE for IKE_SA james[2]
Oct  2 22:03:16 daniel charon: 01[IKE] deleting IKE_SA james[2] between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.221.197[james.dyndns.org]
Oct  2 22:03:16 daniel charon: 01[IKE] deleting IKE_SA james[2] between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.221.197[james.dyndns.org]
Oct  2 22:03:16 daniel charon: 01[IKE] IKE_SA james[2] state change: ESTABLISHED => DELETING
Oct  2 22:03:16 daniel charon: 01[IKE] IKE_SA deleted
Oct  2 22:03:16 daniel charon: 01[IKE] IKE_SA deleted
Oct  2 22:03:16 daniel charon: 01[ENC] generating INFORMATIONAL response 2 [ ]
Oct  2 22:03:16 daniel charon: 01[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct  2 22:03:16 daniel charon: 01[IKE] IKE_SA james[2] state change: DELETING => DESTROYING
Oct  2 22:03:16 daniel charon: 04[NET] received packet: from 89.246.221.197[4500] to 31.18.87.101[4500]
Oct  2 22:03:16 daniel charon: 04[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct  2 22:03:16 daniel charon: 04[CFG]   using trusted certificate "C=DE, CN=james"
Oct  2 22:03:16 daniel charon: 04[IKE] authentication of 'james.dyndns.org' with RSA signature successful
Oct  2 22:03:16 daniel charon: 04[IKE] IKE_SA james[1] established between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.221.197[james.dyndns.org]
Oct  2 22:03:16 daniel charon: 04[IKE] IKE_SA james[1] established between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.221.197[james.dyndns.org]
Oct  2 22:03:16 daniel charon: 04[IKE] IKE_SA james[1] state change: CONNECTING => ESTABLISHED
Oct  2 22:03:16 daniel charon: 04[IKE] scheduling reauthentication in 9722s
Oct  2 22:03:16 daniel charon: 04[IKE] maximum IKE_SA lifetime 10262s
Oct  2 22:03:16 daniel charon: 04[IKE] delaying task initiation, IKE_AUTH exchange in progress
Oct  2 22:03:16 daniel charon: 04[IKE] CHILD_SA james{2} established with SPIs cdf735e9_i ccc77167_o and TS 192.168.2.0/24 === 172.16.16.0/24 
Oct  2 22:03:16 daniel charon: 04[IKE] CHILD_SA james{2} established with SPIs cdf735e9_i ccc77167_o and TS 192.168.2.0/24 === 172.16.16.0/24 
Oct  2 22:03:16 daniel charon: 04[IKE] received AUTH_LIFETIME of 9946s, scheduling reauthentication in 9406s
Oct  2 22:03:16 daniel charon: 04[IKE] peer supports MOBIKE
Oct  2 22:03:16 daniel charon: 04[IKE] got additional MOBIKE peer address: 172.16.16.250
Oct  2 22:03:16 daniel charon: 04[IKE] activating new tasks
Oct  2 22:03:16 daniel charon: 04[IKE] nothing to initiate
Oct  2 22:03:46 daniel charon: 04[IKE] activating new tasks
Oct  2 22:03:46 daniel charon: 04[IKE] nothing to initiate
Oct  2 22:04:15 daniel charon: 03[IKE] activating new tasks
Oct  2 22:04:15 daniel charon: 03[IKE] nothing to initiate
Oct  2 22:04:45 daniel charon: 01[IKE] activating new tasks
Oct  2 22:04:45 daniel charon: 01[IKE] nothing to initiate
Oct  2 22:05:14 daniel charon: 04[IKE] sending DPD request
Oct  2 22:05:14 daniel charon: 04[IKE] queueing IKE_DPD task
Oct  2 22:05:14 daniel charon: 04[IKE] activating new tasks
Oct  2 22:05:14 daniel charon: 04[IKE]   activating IKE_DPD task
Oct  2 22:05:14 daniel charon: 04[ENC] generating INFORMATIONAL request 2 [ ]
Oct  2 22:05:14 daniel charon: 04[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct  2 22:05:18 daniel charon: 03[IKE] retransmit 1 of request with message ID 2
Oct  2 22:05:18 daniel charon: 03[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct  2 22:05:25 daniel charon: 05[IKE] retransmit 2 of request with message ID 2
Oct  2 22:05:25 daniel charon: 05[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct  2 22:05:38 daniel charon: 02[IKE] retransmit 3 of request with message ID 2
Oct  2 22:05:38 daniel charon: 02[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct  2 22:05:44 daniel charon: 01[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct  2 22:06:02 daniel charon: 04[IKE] retransmit 4 of request with message ID 2
Oct  2 22:06:02 daniel charon: 04[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct  2 22:06:14 daniel charon: 03[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct  2 22:06:44 daniel charon: 05[IKE] retransmit 5 of request with message ID 2
Oct  2 22:06:44 daniel charon: 05[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct  2 22:06:44 daniel charon: 02[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct  2 22:07:14 daniel charon: 02[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct  2 22:07:44 daniel charon: 04[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Oct  2 22:07:59 daniel charon: 01[IKE] giving up after 5 retransmits
Oct  2 22:07:59 daniel charon: 01[IKE] restarting CHILD_SA james
Oct  2 22:07:59 daniel charon: 01[IKE] queueing IKE_VENDOR task
Oct  2 22:07:59 daniel charon: 01[IKE] queueing IKE_INIT task
Oct  2 22:07:59 daniel charon: 01[IKE] queueing IKE_NATD task
Oct  2 22:07:59 daniel charon: 01[IKE] queueing IKE_CERT_PRE task
Oct  2 22:07:59 daniel charon: 01[IKE] queueing IKE_AUTH task
Oct  2 22:07:59 daniel charon: 01[IKE] queueing IKE_CERT_POST task
Oct  2 22:07:59 daniel charon: 01[IKE] queueing IKE_CONFIG task
Oct  2 22:07:59 daniel charon: 01[IKE] queueing IKE_AUTH_LIFETIME task
Oct  2 22:07:59 daniel charon: 01[IKE] queueing IKE_MOBIKE task
Oct  2 22:07:59 daniel charon: 01[IKE] queueing IKE_ME task
Oct  2 22:07:59 daniel charon: 01[IKE] queueing CHILD_CREATE task
Oct  2 22:07:59 daniel charon: 01[IKE] activating new tasks
Oct  2 22:07:59 daniel charon: 01[IKE]   activating IKE_VENDOR task
Oct  2 22:07:59 daniel charon: 01[IKE]   activating IKE_INIT task
Oct  2 22:07:59 daniel charon: 01[IKE]   activating IKE_NATD task
Oct  2 22:07:59 daniel charon: 01[IKE]   activating IKE_CERT_PRE task
Oct  2 22:07:59 daniel charon: 01[IKE]   activating IKE_ME task
Oct  2 22:07:59 daniel charon: 01[IKE]   activating IKE_AUTH task
Oct  2 22:07:59 daniel charon: 01[IKE]   activating IKE_CERT_POST task
Oct  2 22:07:59 daniel charon: 01[IKE]   activating IKE_CONFIG task
Oct  2 22:07:59 daniel charon: 01[IKE]   activating CHILD_CREATE task
Oct  2 22:07:59 daniel charon: 01[IKE]   activating IKE_AUTH_LIFETIME task
Oct  2 22:07:59 daniel charon: 01[IKE]   activating IKE_MOBIKE task
Oct  2 22:07:59 daniel charon: 01[IKE] initiating IKE_SA james[3] to 89.246.221.197
Oct  2 22:07:59 daniel charon: 01[IKE] initiating IKE_SA james[3] to 89.246.221.197
Oct  2 22:07:59 daniel charon: 01[IKE] IKE_SA james[3] state change: CREATED => CONNECTING
Oct  2 22:07:59 daniel charon: 01[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct  2 22:07:59 daniel charon: 01[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct  2 22:07:59 daniel charon: 01[IKE] IKE_SA james[1] state change: ESTABLISHED => DESTROYING
Oct  2 22:08:03 daniel charon: 05[IKE] retransmit 1 of request with message ID 0
Oct  2 22:08:03 daniel charon: 05[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct  2 22:08:10 daniel charon: 03[IKE] retransmit 2 of request with message ID 0
Oct  2 22:08:10 daniel charon: 03[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct  2 22:08:23 daniel charon: 04[IKE] retransmit 3 of request with message ID 0
Oct  2 22:08:23 daniel charon: 04[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct  2 22:08:47 daniel charon: 04[IKE] retransmit 4 of request with message ID 0
Oct  2 22:08:47 daniel charon: 04[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct  2 22:09:29 daniel charon: 05[IKE] retransmit 5 of request with message ID 0
Oct  2 22:09:29 daniel charon: 05[NET] sending packet: from 31.18.87.101[4500] to 89.246.221.197[4500]
Oct  2 22:10:44 daniel charon: 03[IKE] giving up after 5 retransmits
Oct  2 22:10:44 daniel charon: 03[IKE] peer not responding, trying again (2/0)
Oct  2 22:10:44 daniel charon: 03[IKE] IKE_SA james[3] state change: CONNECTING => CREATED
Oct  2 22:10:44 daniel charon: 03[IKE] queueing IKE_ME task
Oct  2 22:10:44 daniel charon: 03[IKE] activating new tasks
Oct  2 22:10:44 daniel charon: 03[IKE]   activating IKE_VENDOR task
Oct  2 22:10:44 daniel charon: 03[IKE]   activating IKE_INIT task
Oct  2 22:10:44 daniel charon: 03[IKE]   activating IKE_NATD task
Oct  2 22:10:44 daniel charon: 03[IKE]   activating IKE_CERT_PRE task
Oct  2 22:10:44 daniel charon: 03[IKE]   activating IKE_ME task
Oct  2 22:10:44 daniel charon: 03[IKE]   activating IKE_AUTH task
Oct  2 22:10:44 daniel charon: 03[IKE]   activating IKE_CERT_POST task
Oct  2 22:10:44 daniel charon: 03[IKE]   activating IKE_CONFIG task
Oct  2 22:10:44 daniel charon: 03[IKE]   activating CHILD_CREATE task
Oct  2 22:10:44 daniel charon: 03[IKE]   activating IKE_AUTH_LIFETIME task
Oct  2 22:10:44 daniel charon: 03[IKE]   activating IKE_MOBIKE task
Oct  2 22:10:44 daniel charon: 03[IKE] initiating IKE_SA james[3] to 89.246.210.233
Oct  2 22:10:44 daniel charon: 03[IKE] initiating IKE_SA james[3] to 89.246.210.233
Oct  2 22:10:44 daniel charon: 03[IKE] IKE_SA james[3] state change: CREATED => CONNECTING
Oct  2 22:10:44 daniel charon: 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct  2 22:10:44 daniel charon: 03[NET] sending packet: from 31.18.87.101[500] to 89.246.210.233[500]
Oct  2 22:10:46 daniel charon: 04[NET] received packet: from 89.246.210.233[500] to 31.18.87.101[500]
Oct  2 22:10:46 daniel charon: 04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct  2 22:10:46 daniel charon: 04[IKE] 89.246.210.233 is initiating an IKE_SA
Oct  2 22:10:46 daniel charon: 04[IKE] 89.246.210.233 is initiating an IKE_SA
Oct  2 22:10:46 daniel charon: 04[IKE] IKE_SA (unnamed)[4] state change: CREATED => CONNECTING
Oct  2 22:10:46 daniel charon: 04[IKE] sending cert request for "C=DE, CN=daniel.dyndns.org"
Oct  2 22:10:46 daniel charon: 04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct  2 22:10:46 daniel charon: 04[NET] sending packet: from 31.18.87.101[500] to 89.246.210.233[500]
Oct  2 22:10:48 daniel charon: 05[IKE] retransmit 1 of request with message ID 0
Oct  2 22:10:48 daniel charon: 05[NET] sending packet: from 31.18.87.101[500] to 89.246.210.233[500]
Oct  2 22:10:50 daniel charon: 02[NET] received packet: from 89.246.210.233[500] to 31.18.87.101[500]
Oct  2 22:10:50 daniel charon: 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct  2 22:10:50 daniel charon: 02[IKE] received cert request for "C=DE, CN=daniel.dyndns.org"
Oct  2 22:10:50 daniel charon: 02[IKE] reinitiating already active tasks
Oct  2 22:10:50 daniel charon: 02[IKE]   IKE_CERT_PRE task
Oct  2 22:10:50 daniel charon: 02[IKE]   IKE_AUTH task
Oct  2 22:10:50 daniel charon: 02[IKE] sending cert request for "C=DE, CN=daniel.dyndns.org"
Oct  2 22:10:50 daniel charon: 02[IKE] authentication of 'C=DE, CN=daniel.dyndns.org' (myself) with RSA signature successful
Oct  2 22:10:50 daniel charon: 02[IKE] establishing CHILD_SA james
Oct  2 22:10:50 daniel charon: 02[IKE] establishing CHILD_SA james
Oct  2 22:10:50 daniel charon: 02[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct  2 22:10:50 daniel charon: 02[NET] sending packet: from 31.18.87.101[4500] to 89.246.210.233[4500]
Oct  2 22:10:50 daniel charon: 01[NET] received packet: from 89.246.210.233[4500] to 31.18.87.101[4500]
Oct  2 22:10:50 daniel charon: 01[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct  2 22:10:50 daniel charon: 01[IKE] received cert request for "C=DE, CN=daniel.dyndns.org"
Oct  2 22:10:50 daniel charon: 01[CFG] looking for peer configs matching 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.210.233[james.dyndns.org]
Oct  2 22:10:50 daniel charon: 01[CFG] selected peer config 'james'
Oct  2 22:10:50 daniel charon: 01[CFG]   using trusted certificate "C=DE, CN=james"
Oct  2 22:10:50 daniel charon: 01[IKE] authentication of 'james.dyndns.org' with RSA signature successful
Oct  2 22:10:50 daniel charon: 01[IKE] peer supports MOBIKE
Oct  2 22:10:50 daniel charon: 01[IKE] got additional MOBIKE peer address: 172.16.16.250
Oct  2 22:10:50 daniel charon: 01[IKE] authentication of 'C=DE, CN=daniel.dyndns.org' (myself) with RSA signature successful
Oct  2 22:10:50 daniel charon: 01[IKE] IKE_SA james[4] established between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.210.233[james.dyndns.org]
Oct  2 22:10:50 daniel charon: 01[IKE] IKE_SA james[4] established between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.210.233[james.dyndns.org]
Oct  2 22:10:50 daniel charon: 01[IKE] IKE_SA james[4] state change: CONNECTING => ESTABLISHED
Oct  2 22:10:50 daniel charon: 01[IKE] scheduling reauthentication in 10164s
Oct  2 22:10:50 daniel charon: 01[IKE] maximum IKE_SA lifetime 10704s
Oct  2 22:10:50 daniel charon: 01[IKE] activating new tasks
Oct  2 22:10:50 daniel charon: 01[IKE] nothing to initiate
Oct  2 22:10:50 daniel charon: 01[IKE] CHILD_SA james{4} established with SPIs c25d54e9_i c5dcc107_o and TS 192.168.2.0/24 === 172.16.16.0/24 
Oct  2 22:10:50 daniel charon: 01[IKE] CHILD_SA james{4} established with SPIs c25d54e9_i c5dcc107_o and TS 192.168.2.0/24 === 172.16.16.0/24 
Oct  2 22:10:50 daniel charon: 01[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct  2 22:10:50 daniel charon: 01[NET] sending packet: from 31.18.87.101[4500] to 89.246.210.233[4500]
Oct  2 22:10:51 daniel charon: 03[NET] received packet: from 89.246.210.233[4500] to 31.18.87.101[4500]
Oct  2 22:10:51 daniel charon: 03[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct  2 22:10:51 daniel charon: 03[CFG]   using trusted certificate "C=DE, CN=james"
Oct  2 22:10:51 daniel charon: 03[IKE] authentication of 'james.dyndns.org' with RSA signature successful
Oct  2 22:10:51 daniel charon: 03[IKE] IKE_SA james[3] established between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.210.233[james.dyndns.org]
Oct  2 22:10:51 daniel charon: 03[IKE] IKE_SA james[3] established between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.210.233[james.dyndns.org]
Oct  2 22:10:51 daniel charon: 03[IKE] IKE_SA james[3] state change: CONNECTING => ESTABLISHED
Oct  2 22:10:51 daniel charon: 03[IKE] scheduling reauthentication in 9742s
Oct  2 22:10:51 daniel charon: 03[IKE] maximum IKE_SA lifetime 10282s
Oct  2 22:10:51 daniel charon: 03[IKE] delaying task initiation, IKE_AUTH exchange in progress
Oct  2 22:10:51 daniel charon: 03[IKE] CHILD_SA james{3} established with SPIs cb39e522_i c20b0973_o and TS 192.168.2.0/24 === 172.16.16.0/24 
Oct  2 22:10:51 daniel charon: 03[IKE] CHILD_SA james{3} established with SPIs cb39e522_i c20b0973_o and TS 192.168.2.0/24 === 172.16.16.0/24 
Oct  2 22:10:51 daniel charon: 03[IKE] received AUTH_LIFETIME of 10086s, scheduling reauthentication in 9546s
Oct  2 22:10:51 daniel charon: 03[IKE] peer supports MOBIKE
Oct  2 22:10:51 daniel charon: 03[IKE] got additional MOBIKE peer address: 172.16.16.250
Oct  2 22:10:51 daniel charon: 03[IKE] activating new tasks
Oct  2 22:10:51 daniel charon: 03[IKE] nothing to initiate
Oct  2 22:11:20 daniel charon: 04[IKE] sending DPD request
Oct  2 22:11:20 daniel charon: 04[IKE] queueing IKE_DPD task
Oct  2 22:11:20 daniel charon: 04[IKE] activating new tasks
Oct  2 22:11:20 daniel charon: 04[IKE]   activating IKE_DPD task
Oct  2 22:11:20 daniel charon: 04[ENC] generating INFORMATIONAL request 0 [ ]
Oct  2 22:11:20 daniel charon: 04[NET] sending packet: from 31.18.87.101[4500] to 89.246.210.233[4500]
Oct  2 22:11:21 daniel charon: 05[NET] received packet: from 89.246.210.233[4500] to 31.18.87.101[4500]
Oct  2 22:11:21 daniel charon: 05[ENC] parsed INFORMATIONAL response 0 [ ]
Oct  2 22:11:21 daniel charon: 05[IKE] activating new tasks
Oct  2 22:11:21 daniel charon: 05[IKE] nothing to initiate
Oct  2 22:11:21 daniel charon: 01[IKE] activating new tasks
Oct  2 22:11:21 daniel charon: 01[IKE] nothing to initiate
Oct  2 22:11:50 daniel charon: 05[IKE] activating new tasks
Oct  2 22:11:50 daniel charon: 05[IKE] nothing to initiate
Oct  2 22:11:51 daniel charon: 01[NET] received packet: from 89.246.210.233[4500] to 31.18.87.101[4500]
Oct  2 22:11:51 daniel charon: 01[ENC] parsed INFORMATIONAL request 2 [ ]
Oct  2 22:11:51 daniel charon: 01[ENC] generating INFORMATIONAL response 2 [ ]
Oct  2 22:11:51 daniel charon: 01[NET] sending packet: from 31.18.87.101[4500] to 89.246.210.233[4500]
Oct  2 22:11:51 daniel charon: 03[IKE] activating new tasks
Oct  2 22:11:51 daniel charon: 03[IKE] nothing to initiate
Oct  2 22:11:51 daniel charon: 02[IKE] activating new tasks
Oct  2 22:11:51 daniel charon: 02[IKE] nothing to initiate
-------------- next part --------------
# ipsec.conf - strongSwan IPsec configuration file

config setup
        charondebug="ike 2"

conn %default
        keyingtries=%forever

conn james
        leftcert=danielCert.pem
        leftsendcert=never
        leftsubnet=192.168.2.0/24
        leftfirewall=yes
        lefthostaccess=yes
        right=%james.dyndns.org
        rightcert=jamesCert.pem
        rightid=@james.dyndns.org
        rightsubnet=172.16.16.0/24
        auto=start
        dpdaction=restart
-------------- next part --------------
# strongswan.conf - strongSwan configuration file

charon {

	# number of worker threads in charon
	threads = 16

  # retry DNS lookups every N seconds (0 means off)
  retry_initiate_interval = 30

	# send strongswan vendor ID?
	# send_vendor_id = yes

	plugins {

		sql {
			# loglevel to log into sql database
			loglevel = -1

			# URI to the database
			# database = sqlite:///path/to/file.db
			# database = mysql://user:password@localhost/database
		}
	}

	# ...
}

pluto {

}

libstrongswan {

	#  set to no, the DH exponent size is optimized
	#  dh_exponent_ansi_x9_42 = no
}


More information about the Users mailing list