[strongSwan] log IKE SPIs after rekeying

Joern Mewes joern.mewes at gmx.net
Mon Jun 9 21:37:25 CEST 2014

Hi all,

I am trying to decrypt the IKEv2 message exchanged between strongswan 
5.0.4 and a 3rd party VPN device for troubleshooting purposes. To get 
the needed SPIs and keys I enabled log level 4 for IKE by running 
“ipsec stroke loglevel ike 4” before bringing up the tunnel. 

After starting the tunnel I am able to get all need keys and SPIs to 
decode the IKE packets however after IKE-rekeying (without reauth)
charon logs just “Sk_ei", "Sk_er", Sk_ai" and "Sk_ar". For some reason
I could not find the new SPIs I need to insert into wireshark. Is there
any special log or configuration option I need to enable to get these 
SPIs logged as well?

Best regards,

More information about the Users mailing list