[strongSwan] [strongSwan-dev] config w/ multiple ios devices on a network...
Andrew Foss
afoss at actmobile.com
Fri Apr 24 21:02:44 CEST 2015
Miroslav,
thank you, that did it! Wow, did I log some hours trying different
combinations, but didn't get that one and you also helped by suggesting
I turn off enc logging, now my logs are more helpful, before they always
ended in "dropped rate-limiting" so really weren't telling me much.
Interestingly, both the connected devices now have the same virtual ip
10.254.0.1/32, but both seem to be working fine and the 2 devices never
need to talk directly to one another, so maybe all the devices can
use/assign the same ip address for the client's tunnel? Is that a common
way to run?
andrew
On 4/24/15 11:36 AM, Miroslav Svoboda wrote:
> This is the problem:
> Apr 24 17:21:43 accel charon: 10[IKE] deleting duplicate IKE_SA for
> peer 'actmobile' due to uniqueness policy
>
> Look for config option "uniqueids" here:
> https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection
>
> M.
>
> Miroslav Svoboda | +420 608 224 486
>
> On 24 April 2015 at 19:23, Andrew Foss <afoss at actmobile.com
> <mailto:afoss at actmobile.com>> wrote:
>
> Is this better?
>
> *** first device connects*****
>
> Apr 24 17:21:31 accel charon: 06[NET] received packet: from
> 166.170.42.208[36359] to 10.199.65.236[500]
> Apr 24 17:21:31 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:31 accel charon: 13[NET] received packet: from
> 166.170.42.208[36359] to 10.199.65.236[500] (668 bytes)
> Apr 24 17:21:31 accel charon: 13[CFG] looking for an ike config
> for 10.199.65.236...166.170.42.208
> Apr 24 17:21:31 accel charon: 13[CFG] candidate: %any...%any,
> prio 28
> Apr 24 17:21:31 accel charon: 13[CFG] found matching ike config:
> %any...%any with prio 28
> Apr 24 17:21:31 accel charon: 13[IKE] received NAT-T (RFC 3947)
> vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received
> draft-ietf-ipsec-nat-t-ike vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received
> draft-ietf-ipsec-nat-t-ike-08 vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received
> draft-ietf-ipsec-nat-t-ike-07 vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received
> draft-ietf-ipsec-nat-t-ike-06 vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received
> draft-ietf-ipsec-nat-t-ike-05 vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received
> draft-ietf-ipsec-nat-t-ike-04 vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received
> draft-ietf-ipsec-nat-t-ike-03 vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received
> draft-ietf-ipsec-nat-t-ike-02 vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received
> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received XAuth vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received Cisco Unity vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received FRAGMENTATION vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received DPD vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] 166.170.42.208 is initiating
> a Main Mode IKE_SA
> Apr 24 17:21:31 accel charon: 13[IKE] IKE_SA (unnamed)[3] state
> change: CREATED => CONNECTING
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] no acceptable
> DIFFIE_HELLMAN_GROUP found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] no acceptable
> PSEUDO_RANDOM_FUNCTION found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] no acceptable
> DIFFIE_HELLMAN_GROUP found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] no acceptable
> PSEUDO_RANDOM_FUNCTION found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG] proposal matches
> Apr 24 17:21:31 accel charon: 13[CFG] received proposals:
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
> IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
> Apr 24 17:21:31 accel charon: 13[CFG] configured proposals:
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
> Apr 24 17:21:31 accel charon: 13[CFG] selected proposal:
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> Apr 24 17:21:31 accel charon: 13[IKE] sending XAuth vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] sending DPD vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] sending FRAGMENTATION vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] sending NAT-T (RFC 3947)
> vendor ID
> Apr 24 17:21:31 accel charon: 13[NET] sending packet: from
> 10.199.65.236[500] to 166.170.42.208[36359] (160 bytes)
> Apr 24 17:21:31 accel charon: 07[NET] sending packet: from
> 10.199.65.236[500] to 166.170.42.208[36359]
> Apr 24 17:21:31 accel charon: 06[NET] received packet: from
> 166.170.42.208[36359] to 10.199.65.236[500]
> Apr 24 17:21:31 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:31 accel charon: 14[NET] received packet: from
> 166.170.42.208[36359] to 10.199.65.236[500] (292 bytes)
> Apr 24 17:21:31 accel charon: 14[LIB] size of DH secret exponent:
> 1535 bits
> Apr 24 17:21:31 accel charon: 14[IKE] local host is behind NAT,
> sending keep alives
> Apr 24 17:21:31 accel charon: 14[IKE] remote host is behind NAT
> Apr 24 17:21:31 accel charon: 14[IKE] sending cert request for
> "C=US, ST=California, L=New York, O=Internet Widgits Pty Ltd,
> OU=ActMobile, CN=ipsec.corp.actmobile.com
> <http://ipsec.corp.actmobile.com>, E=support at actmobile.com
> <mailto:E=support at actmobile.com>"
> Apr 24 17:21:31 charon: last message repeated 2 times
> Apr 24 17:21:31 accel charon: 14[NET] sending packet: from
> 10.199.65.236[500] to 166.170.42.208[36359] (548 bytes)
> Apr 24 17:21:31 accel charon: 14[NET] sending packet: from
> 10.199.65.236[500] to 166.170.42.208[36359] (399 bytes)
> Apr 24 17:21:31 accel charon: 07[NET] sending packet: from
> 10.199.65.236[500] to 166.170.42.208[36359]
> Apr 24 17:21:31 accel charon: 07[NET] sending packet: from
> 10.199.65.236[500] to 166.170.42.208[36359]
> Apr 24 17:21:31 accel charon: 06[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500]
> Apr 24 17:21:31 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:31 accel charon: 06[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500]
> Apr 24 17:21:31 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:31 accel charon: 15[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500] (1280 bytes)
> Apr 24 17:21:31 accel charon: 15[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500] (164 bytes)
> Apr 24 17:21:31 accel charon: 15[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500] (1372 bytes)
> Apr 24 17:21:31 accel charon: 15[IKE] ignoring certificate request
> without data
> Apr 24 17:21:31 accel charon: 15[IKE] received end entity cert
> "C=US, O=strongSwan, CN=IDE-B1DA-3355-4C89-BA98-A580BD513292"
> Apr 24 17:21:31 accel charon: 15[CFG] looking for XAuthInitRSA
> peer configs matching 10.199.65.236...166.170.42.208[C=US,
> O=strongSwan, CN=IDE-B1DA-3355-4C89-BA98-A580BD513292]
> Apr 24 17:21:31 accel charon: 15[CFG] candidate "ios", match:
> 1/1/28 (me/other/ike)
> Apr 24 17:21:31 accel charon: 15[CFG] selected peer config "ios"
> Apr 24 17:21:31 accel charon: 15[CFG] using certificate "C=US,
> O=strongSwan, CN=IDE-B1DA-3355-4C89-BA98-A580BD513292"
> Apr 24 17:21:31 accel charon: 15[CFG] certificate "C=US,
> O=strongSwan, CN=IDE-B1DA-3355-4C89-BA98-A580BD513292" key: 2048
> bit RSA
> Apr 24 17:21:31 accel charon: 15[CFG] using trusted ca
> certificate "C=US, ST=California, L=New York, O=Internet Widgits
> Pty Ltd, OU=ActMobile, CN=ipsec.corp.actmobile.com
> <http://ipsec.corp.actmobile.com>, E=support at actmobile.com
> <mailto:E=support at actmobile.com>"
> Apr 24 17:21:31 accel charon: 15[CFG] checking certificate status
> of "C=US, O=strongSwan, CN=IDE-B1DA-3355-4C89-BA98-A580BD513292"
> Apr 24 17:21:31 accel charon: 15[CFG] ocsp check skipped, no ocsp
> found
> Apr 24 17:21:31 accel charon: 15[CFG] certificate status is not
> available
> Apr 24 17:21:31 accel charon: 15[CFG] certificate "C=US,
> ST=California, L=New York, O=Internet Widgits Pty Ltd,
> OU=ActMobile, CN=ipsec.corp.actmobile.com
> <http://ipsec.corp.actmobile.com>, E=support at actmobile.com
> <mailto:E=support at actmobile.com>" key: 2048 bit RSA
> Apr 24 17:21:31 accel charon: 15[CFG] reached self-signed root
> ca with a path length of 0
> Apr 24 17:21:31 accel charon: 15[IKE] authentication of 'C=US,
> O=strongSwan, CN=IDE-B1DA-3355-4C89-BA98-A580BD513292' with RSA
> successful
> Apr 24 17:21:31 accel charon: 15[IKE] authentication of 'C=US,
> ST=California, L=New York, O=Internet Widgits Pty Ltd,
> OU=ActMobile, CN=ipsec.corp.actmobile.com
> <http://ipsec.corp.actmobile.com>, E=support at actmobile.com
> <mailto:E=support at actmobile.com>' (myself) successful
> Apr 24 17:21:31 accel charon: 15[IKE] queueing XAUTH task
> Apr 24 17:21:31 accel charon: 15[IKE] sending end entity cert
> "C=US, ST=California, L=New York, O=Internet Widgits Pty Ltd,
> OU=ActMobile, CN=ipsec.corp.actmobile.com
> <http://ipsec.corp.actmobile.com>, E=support at actmobile.com
> <mailto:E=support at actmobile.com>"
> Apr 24 17:21:31 accel charon: 15[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139] (544 bytes)
> Apr 24 17:21:31 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139]
> Apr 24 17:21:31 accel charon: 15[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139] (544 bytes)
> Apr 24 17:21:31 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139]
> Apr 24 17:21:31 accel charon: 15[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139] (544 bytes)
> Apr 24 17:21:31 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139]
> Apr 24 17:21:31 accel charon: 15[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139] (92 bytes)
> Apr 24 17:21:31 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139]
> Apr 24 17:21:31 accel charon: 15[IKE] activating new tasks
> Apr 24 17:21:31 accel charon: 15[IKE] activating XAUTH task
> Apr 24 17:21:31 accel charon: 15[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139] (76 bytes)
> Apr 24 17:21:31 accel rsyslogd-2177: imuxsock begins to drop
> messages from pid 14031 due to rate-limiting
> Apr 24 17:21:32 accel rsyslogd-2177: imuxsock lost 12 messages
> from pid 14031 due to rate-limiting
> Apr 24 17:21:32 accel charon: 06[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500]
> Apr 24 17:21:32 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:32 accel charon: 06[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500]
> Apr 24 17:21:32 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:32 accel charon: 03[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500] (76 bytes)
> Apr 24 17:21:32 accel charon: 03[IKE] IKE_SA ios[3] established
> between 10.199.65.236[C=US, ST=California, L=New York, O=Internet
> Widgits Pty Ltd, OU=ActMobile, CN=ipsec.corp.actmobile.com
> <http://ipsec.corp.actmobile.com>, E=support at actmobile.com
> <mailto:E=support at actmobile.com>]...166.170.42.208[C=US,
> O=strongSwan, CN=IDE-B1DA-3355-4C89-BA98-A580BD513292]
> Apr 24 17:21:32 accel charon: 03[IKE] IKE_SA ios[3] state change:
> CONNECTING => ESTABLISHED
> Apr 24 17:21:32 accel charon: 03[IKE] activating new tasks
> Apr 24 17:21:32 accel charon: 03[IKE] nothing to initiate
> Apr 24 17:21:32 accel charon: 08[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500] (172 bytes)
> Apr 24 17:21:32 accel charon: 08[IKE] processing
> INTERNAL_IP4_ADDRESS attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing
> INTERNAL_IP4_NETMASK attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing INTERNAL_IP4_DNS
> attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing INTERNAL_IP4_NBNS
> attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing
> INTERNAL_ADDRESS_EXPIRY attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing
> APPLICATION_VERSION attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing UNITY_BANNER
> attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing UNITY_DEF_DOMAIN
> attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing
> UNITY_SPLITDNS_NAME attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing
> UNITY_SPLIT_INCLUDE attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing UNITY_LOCAL_LAN
> attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing UNITY_PFS attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing UNITY_SAVE_PASSWD
> attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing UNITY_FW_TYPE
> attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing
> UNITY_BACKUP_SERVERS attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing (28683) attribute
> Apr 24 17:21:32 accel charon: 08[IKE] peer requested virtual IP %any
> Apr 24 17:21:32 accel charon: 08[CFG] reassigning offline lease to
> 'actmobile'
> Apr 24 17:21:32 accel charon: 08[IKE] assigning virtual IP
> 10.254.0.1 to peer 'actmobile'
> Apr 24 17:21:32 accel charon: 08[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139] (92 bytes)
> Apr 24 17:21:32 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139]
> Apr 24 17:21:32 accel charon: 06[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500]
> Apr 24 17:21:32 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:32 accel charon: 10[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500] (300 bytes)
> Apr 24 17:21:32 accel charon: 10[CFG] looking for a child config
> for 0.0.0.0/0 <http://0.0.0.0/0> === 10.254.0.1/32
> <http://10.254.0.1/32>
> Apr 24 17:21:32 accel charon: 10[CFG] proposing traffic selectors
> for us:
> Apr 24 17:21:32 accel charon: 10[CFG] 0.0.0.0/0 <http://0.0.0.0/0>
> Apr 24 17:21:32 accel charon: 10[CFG] proposing traffic selectors
> for other:
> Apr 24 17:21:32 accel charon: 10[CFG] 10.254.0.1/32
> <http://10.254.0.1/32>
> Apr 24 17:21:32 accel charon: 10[CFG] candidate "ios" with prio 5+5
> Apr 24 17:21:32 accel charon: 10[CFG] found matching child config
> "ios" with prio 10
> Apr 24 17:21:32 accel charon: 10[CFG] selecting traffic selectors
> for other:
> Apr 24 17:21:32 accel charon: 10[CFG] config: 10.254.0.1/32
> <http://10.254.0.1/32>, received: 10.254.0.1/32
> <http://10.254.0.1/32> => match: 10.254.0.1/32 <http://10.254.0.1/32>
> Apr 24 17:21:32 accel charon: 10[CFG] selecting traffic selectors
> for us:
> Apr 24 17:21:32 accel charon: 10[CFG] config: 0.0.0.0/0
> <http://0.0.0.0/0>, received: 0.0.0.0/0 <http://0.0.0.0/0> =>
> match: 0.0.0.0/0 <http://0.0.0.0/0>
> Apr 24 17:21:32 accel charon: 10[IKE] expected IPComp proposal but
> peer did not send one, IPComp disabled
> Apr 24 17:21:32 accel charon: 10[CFG] selecting proposal:
> Apr 24 17:21:32 accel charon: 10[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:32 accel charon: 10[CFG] selecting proposal:
> Apr 24 17:21:32 accel charon: 10[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:32 accel charon: 10[CFG] selecting proposal:
> Apr 24 17:21:32 accel charon: 10[CFG] proposal matches
> Apr 24 17:21:32 accel charon: 10[CFG] received proposals:
> ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ,
> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ,
> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
> Apr 24 17:21:32 accel charon: 10[CFG] configured proposals:
> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> Apr 24 17:21:32 accel charon: 10[CFG] selected proposal:
> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
> Apr 24 17:21:32 accel charon: 10[IKE] received 3600s lifetime,
> configured 0s
> Apr 24 17:21:32 accel charon: 10[KNL] got SPI cdc2e52a
> Apr 24 17:21:32 accel charon: 10[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139] (172 bytes)
> Apr 24 17:21:32 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139]
> Apr 24 17:21:32 accel charon: 06[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500]
> Apr 24 17:21:32 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:32 accel charon: 11[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500] (60 bytes)
> Apr 24 17:21:32 accel charon: 11[CHD] using AES_CBC for encryption
> Apr 24 17:21:32 accel charon: 11[CHD] using HMAC_SHA1_96 for
> integrity
> Apr 24 17:21:32 accel charon: 11[CHD] adding inbound ESP SA
> Apr 24 17:21:32 accel charon: 11[CHD] SPI 0xcdc2e52a, src
> 166.170.42.208 dst 10.199.65.236
> Apr 24 17:21:32 accel charon: 11[KNL] adding SAD entry with SPI
> cdc2e52a and reqid {2} (mark 0/0x00000000)
> Apr 24 17:21:32 accel charon: 11[KNL] using encryption algorithm
> AES_CBC with key size 128
> Apr 24 17:21:32 accel charon: 11[KNL] using integrity algorithm
> HMAC_SHA1_96 with key size 160
> Apr 24 17:21:32 accel charon: 11[KNL] using replay window of 32
> packets
> Apr 24 17:21:32 accel charon: 11[CHD] adding outbound ESP SA
> Apr 24 17:21:32 accel charon: 11[CHD] SPI 0x0d6bbaab, src
> 10.199.65.236 dst 166.170.42.208
> Apr 24 17:21:32 accel charon: 11[KNL] adding SAD entry with SPI
> 0d6bbaab and reqid {2} (mark 0/0x00000000)
> Apr 24 17:21:32 accel charon: 11[KNL] using encryption algorithm
> AES_CBC with key size 128
> Apr 24 17:21:32 accel charon: 11[KNL] using integrity algorithm
> HMAC_SHA1_96 with key size 160
> Apr 24 17:21:32 accel charon: 11[KNL] using replay window of 32
> packets
> Apr 24 17:21:32 accel charon: 11[KNL] adding policy 0.0.0.0/0
> <http://0.0.0.0/0> === 10.254.0.1/32 <http://10.254.0.1/32> out
> (mark 0/0x00000000)
> Apr 24 17:21:32 accel charon: 11[KNL] adding policy 10.254.0.1/32
> <http://10.254.0.1/32> === 0.0.0.0/0 <http://0.0.0.0/0> in (mark
> 0/0x00000000)
> Apr 24 17:21:32 accel charon: 11[KNL] adding policy 10.254.0.1/32
> <http://10.254.0.1/32> === 0.0.0.0/0 <http://0.0.0.0/0> fwd (mark
> 0/0x00000000)
> Apr 24 17:21:32 accel charon: 11[KNL] getting a local address in
> traffic selector 0.0.0.0/0 <http://0.0.0.0/0>
> Apr 24 17:21:32 accel charon: 11[KNL] using host %any
> Apr 24 17:21:32 accel charon: 11[KNL] using 10.199.65.193 as
> nexthop to reach 166.170.42.208/32 <http://166.170.42.208/32>
> Apr 24 17:21:32 accel charon: 11[KNL] 10.199.65.236 is on
> interface eth0
> Apr 24 17:21:32 accel charon: 11[KNL] installing route:
> 10.254.0.1/32 <http://10.254.0.1/32> via 10.199.65.193 src %any
> dev eth0
> Apr 24 17:21:32 accel charon: 11[KNL] getting iface index for eth0
> Apr 24 17:21:32 accel charon: 11[KNL] policy 0.0.0.0/0
> <http://0.0.0.0/0> === 10.254.0.1/32 <http://10.254.0.1/32> out
> (mark 0/0x00000000) already exists, increasing refcount
> Apr 24 17:21:32 accel charon: 11[KNL] updating policy 0.0.0.0/0
> <http://0.0.0.0/0> === 10.254.0.1/32 <http://10.254.0.1/32> out
> (mark 0/0x00000000)
> Apr 24 17:21:32 accel charon: 11[KNL] policy 10.254.0.1/32
> <http://10.254.0.1/32> === 0.0.0.0/0 <http://0.0.0.0/0> in (mark
> 0/0x00000000) already exists, increasing refcount
> Apr 24 17:21:32 accel charon: 11[KNL] updating policy
> 10.254.0.1/32 <http://10.254.0.1/32> === 0.0.0.0/0
> <http://0.0.0.0/0> in (mark 0/0x00000000)
> Apr 24 17:21:32 accel charon: 11[KNL] policy 10.254.0.1/32
> <http://10.254.0.1/32> === 0.0.0.0/0 <http://0.0.0.0/0> fwd (mark
> 0/0x00000000) already exists, increasing refcount
> Apr 24 17:21:32 accel charon: 11[KNL] updating policy
> 10.254.0.1/32 <http://10.254.0.1/32> === 0.0.0.0/0
> <http://0.0.0.0/0> fwd (mark 0/0x00000000)
> Apr 24 17:21:32 accel charon: 11[KNL] getting a local address in
> traffic selector 0.0.0.0/0 <http://0.0.0.0/0>
> Apr 24 17:21:32 accel charon: 11[KNL] using host %any
> Apr 24 17:21:32 accel charon: 11[KNL] using 10.199.65.193 as
> nexthop to reach 166.170.42.208/32 <http://166.170.42.208/32>
> Apr 24 17:21:32 accel charon: 11[KNL] 10.199.65.236 is on
> interface eth0
> Apr 24 17:21:32 accel charon: 11[IKE] CHILD_SA ios{2} established
> with SPIs cdc2e52a_i 0d6bbaab_o and TS 0.0.0.0/0
> <http://0.0.0.0/0> === 10.254.0.1/32 <http://10.254.0.1/32>
> Apr 24 17:21:32 accel charon: 11[KNL] 10.199.65.236 is on
> interface eth0
> Apr 24 17:21:32 accel charon: 11[KNL] querying SAD entry with SPI
> cdc2e52a (mark 0/0x00000000)
> Apr 24 17:21:32 accel charon: 11[KNL] querying SAD entry with SPI
> 0d6bbaab (mark 0/0x00000000)
>
>
>
>
>
>
> ***** second device connects *******
>
> Apr 24 17:21:42 accel charon: 06[NET] received packet: from
> 50.197.174.157[500] to 10.199.65.236[500]
> Apr 24 17:21:42 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:42 accel charon: 15[NET] received packet: from
> 50.197.174.157[500] to 10.199.65.236[500] (668 bytes)
> Apr 24 17:21:42 accel charon: 15[CFG] looking for an ike config
> for 10.199.65.236...50.197.174.157
> Apr 24 17:21:42 accel charon: 15[CFG] candidate: %any...%any,
> prio 28
> Apr 24 17:21:42 accel charon: 15[CFG] found matching ike config:
> %any...%any with prio 28
> Apr 24 17:21:42 accel charon: 15[IKE] received NAT-T (RFC 3947)
> vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received
> draft-ietf-ipsec-nat-t-ike vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received
> draft-ietf-ipsec-nat-t-ike-08 vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received
> draft-ietf-ipsec-nat-t-ike-07 vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received
> draft-ietf-ipsec-nat-t-ike-06 vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received
> draft-ietf-ipsec-nat-t-ike-05 vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received
> draft-ietf-ipsec-nat-t-ike-04 vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received
> draft-ietf-ipsec-nat-t-ike-03 vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received
> draft-ietf-ipsec-nat-t-ike-02 vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received
> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received XAuth vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received Cisco Unity vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received FRAGMENTATION vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received DPD vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] 50.197.174.157 is initiating
> a Main Mode IKE_SA
> Apr 24 17:21:42 accel charon: 15[IKE] IKE_SA (unnamed)[4] state
> change: CREATED => CONNECTING
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] no acceptable
> DIFFIE_HELLMAN_GROUP found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] no acceptable
> PSEUDO_RANDOM_FUNCTION found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] no acceptable
> DIFFIE_HELLMAN_GROUP found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] no acceptable
> PSEUDO_RANDOM_FUNCTION found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG] proposal matches
> Apr 24 17:21:42 accel charon: 15[CFG] received proposals:
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
> IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
> Apr 24 17:21:42 accel charon: 15[CFG] configured proposals:
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
> Apr 24 17:21:42 accel charon: 15[CFG] selected proposal:
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> Apr 24 17:21:42 accel charon: 15[IKE] sending XAuth vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] sending DPD vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] sending FRAGMENTATION vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] sending NAT-T (RFC 3947)
> vendor ID
> Apr 24 17:21:42 accel charon: 15[NET] sending packet: from
> 10.199.65.236[500] to 50.197.174.157[500] (160 bytes)
> Apr 24 17:21:42 accel charon: 07[NET] sending packet: from
> 10.199.65.236[500] to 50.197.174.157[500]
> Apr 24 17:21:43 accel charon: 06[NET] received packet: from
> 50.197.174.157[500] to 10.199.65.236[500]
> Apr 24 17:21:43 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:43 accel charon: 09[NET] received packet: from
> 50.197.174.157[500] to 10.199.65.236[500] (292 bytes)
> Apr 24 17:21:43 accel charon: 09[LIB] size of DH secret exponent:
> 1532 bits
> Apr 24 17:21:43 accel charon: 09[IKE] local host is behind NAT,
> sending keep alives
> Apr 24 17:21:43 accel charon: 09[IKE] remote host is behind NAT
> Apr 24 17:21:43 accel charon: 09[IKE] sending cert request for
> "C=US, ST=California, L=New York, O=Internet Widgits Pty Ltd,
> OU=ActMobile, CN=ipsec.corp.actmobile.com
> <http://ipsec.corp.actmobile.com>, E=support at actmobile.com
> <mailto:E=support at actmobile.com>"
> Apr 24 17:21:43 charon: last message repeated 2 times
> Apr 24 17:21:43 accel charon: 09[NET] sending packet: from
> 10.199.65.236[500] to 50.197.174.157[500] (548 bytes)
> Apr 24 17:21:43 accel charon: 07[NET] sending packet: from
> 10.199.65.236[500] to 50.197.174.157[500]
> Apr 24 17:21:43 accel charon: 09[NET] sending packet: from
> 10.199.65.236[500] to 50.197.174.157[500] (399 bytes)
> Apr 24 17:21:43 accel charon: 07[NET] sending packet: from
> 10.199.65.236[500] to 50.197.174.157[500]
> Apr 24 17:21:43 accel charon: 06[NET] received packet: from
> 50.197.174.157[4500] to 10.199.65.236[4500]
> Apr 24 17:21:43 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:43 accel charon: 03[NET] received packet: from
> 50.197.174.157[4500] to 10.199.65.236[4500] (1280 bytes)
> Apr 24 17:21:43 accel charon: 06[NET] received packet: from
> 50.197.174.157[4500] to 10.199.65.236[4500]
> Apr 24 17:21:43 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:43 accel charon: 16[NET] received packet: from
> 50.197.174.157[4500] to 10.199.65.236[4500] (164 bytes)
> Apr 24 17:21:43 accel charon: 16[NET] received packet: from
> 50.197.174.157[4500] to 10.199.65.236[4500] (1372 bytes)
> Apr 24 17:21:43 accel charon: 16[IKE] ignoring certificate request
> without data
> Apr 24 17:21:43 accel charon: 16[IKE] received end entity cert
> "C=US, O=strongSwan, CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307"
> Apr 24 17:21:43 accel charon: 16[CFG] looking for XAuthInitRSA
> peer configs matching 10.199.65.236...50.197.174.157[C=US,
> O=strongSwan, CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307]
> Apr 24 17:21:43 accel charon: 16[CFG] candidate "ios", match:
> 1/1/28 (me/other/ike)
> Apr 24 17:21:43 accel charon: 16[CFG] selected peer config "ios"
> Apr 24 17:21:43 accel charon: 16[CFG] using certificate "C=US,
> O=strongSwan, CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307"
> Apr 24 17:21:43 accel charon: 16[CFG] certificate "C=US,
> O=strongSwan, CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307" key: 2048
> bit RSA
> Apr 24 17:21:43 accel charon: 16[LIB] signature verification:
> Apr 24 17:21:43 accel charon: 16[CFG] using trusted ca
> certificate "C=US, ST=California, L=New York, O=Internet Widgits
> Pty Ltd, OU=ActMobile, CN=ipsec.corp.actmobile.com
> <http://ipsec.corp.actmobile.com>, E=support at actmobile.com
> <mailto:E=support at actmobile.com>"
> Apr 24 17:21:43 accel charon: 16[CFG] checking certificate status
> of "C=US, O=strongSwan, CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307"
> Apr 24 17:21:43 accel charon: 16[CFG] ocsp check skipped, no ocsp
> found
> Apr 24 17:21:43 accel charon: 16[CFG] certificate status is not
> available
> Apr 24 17:21:43 accel charon: 16[CFG] certificate "C=US,
> ST=California, L=New York, O=Internet Widgits Pty Ltd,
> OU=ActMobile, CN=ipsec.corp.actmobile.com
> <http://ipsec.corp.actmobile.com>, E=support at actmobile.com
> <mailto:E=support at actmobile.com>" key: 2048 bit RSA
> Apr 24 17:21:43 accel charon: 16[CFG] reached self-signed root
> ca with a path length of 0
> Apr 24 17:21:43 accel charon: 16[IKE] authentication of 'C=US,
> O=strongSwan, CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307' with RSA
> successful
> Apr 24 17:21:43 accel charon: 16[IKE] authentication of 'C=US,
> ST=California, L=New York, O=Internet Widgits Pty Ltd,
> OU=ActMobile, CN=ipsec.corp.actmobile.com
> <http://ipsec.corp.actmobile.com>, E=support at actmobile.com
> <mailto:E=support at actmobile.com>' (myself) successful
> Apr 24 17:21:43 accel charon: 16[IKE] queueing XAUTH task
> Apr 24 17:21:43 accel charon: 16[IKE] sending end entity cert
> "C=US, ST=California, L=New York, O=Internet Widgits Pty Ltd,
> OU=ActMobile, CN=ipsec.corp.actmobile.com
> <http://ipsec.corp.actmobile.com>, E=support at actmobile.com
> <mailto:E=support at actmobile.com>"
> Apr 24 17:21:43 accel charon: 16[NET] sending packet: from
> 10.199.65.236[4500] to 50.197.174.157[4500] (544 bytes)
> Apr 24 17:21:43 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 50.197.174.157[4500]
> Apr 24 17:21:43 accel charon: 16[NET] sending packet: from
> 10.199.65.236[4500] to 50.197.174.157[4500] (544 bytes)
> Apr 24 17:21:43 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 50.197.174.157[4500]
> Apr 24 17:21:43 accel charon: 16[NET] sending packet: from
> 10.199.65.236[4500] to 50.197.174.157[4500] (544 bytes)
> Apr 24 17:21:43 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 50.197.174.157[4500]
> Apr 24 17:21:43 accel charon: 16[NET] sending packet: from
> 10.199.65.236[4500] to 50.197.174.157[4500] (92 bytes)
> Apr 24 17:21:43 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 50.197.174.157[4500]
> Apr 24 17:21:43 accel charon: 16[IKE] activating new tasks
> Apr 24 17:21:43 accel charon: 16[IKE] activating XAUTH task
> Apr 24 17:21:43 accel charon: 16[NET] sending packet: from
> 10.199.65.236[4500] to 50.197.174.157[4500] (76 bytes)
> Apr 24 17:21:43 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 50.197.174.157[4500]
> Apr 24 17:21:43 accel charon: 06[NET] received packet: from
> 50.197.174.157[4500] to 10.199.65.236[4500]
> Apr 24 17:21:43 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:43 accel charon: 10[NET] received packet: from
> 50.197.174.157[4500] to 10.199.65.236[4500] (92 bytes)
> Apr 24 17:21:43 accel charon: 10[IKE] XAuth authentication of
> 'actmobile' successful
> Apr 24 17:21:43 accel charon: 10[IKE] deleting duplicate IKE_SA
> for peer 'actmobile' due to uniqueness policy
> Apr 24 17:21:43 accel charon: 10[IKE] queueing QUICK_DELETE task
> Apr 24 17:21:43 accel charon: 10[IKE] queueing ISAKMP_DELETE task
> Apr 24 17:21:43 accel charon: 10[IKE] activating new tasks
> Apr 24 17:21:43 accel charon: 10[IKE] activating QUICK_DELETE task
> Apr 24 17:21:43 accel charon: 10[KNL] querying SAD entry with SPI
> cdc2e52a (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] querying SAD entry with SPI
> 0d6bbaab (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[IKE] closing CHILD_SA ios{2} with
> SPIs cdc2e52a_i (1438 bytes) 0d6bbaab_o (4780 bytes) and TS
> 0.0.0.0/0 <http://0.0.0.0/0> === 10.254.0.1/32 <http://10.254.0.1/32>
> Apr 24 17:21:43 accel charon: 10[KNL] querying SAD entry with SPI
> cdc2e52a (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] querying SAD entry with SPI
> 0d6bbaab (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] deleting policy 0.0.0.0/0
> <http://0.0.0.0/0> === 10.254.0.1/32 <http://10.254.0.1/32> out
> (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] policy still used by another
> CHILD_SA, not removed
> Apr 24 17:21:43 accel charon: 10[KNL] updating policy 0.0.0.0/0
> <http://0.0.0.0/0> === 10.254.0.1/32 <http://10.254.0.1/32> out
> (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] deleting policy
> 10.254.0.1/32 <http://10.254.0.1/32> === 0.0.0.0/0
> <http://0.0.0.0/0> in (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] policy still used by another
> CHILD_SA, not removed
> Apr 24 17:21:43 accel charon: 10[KNL] updating policy
> 10.254.0.1/32 <http://10.254.0.1/32> === 0.0.0.0/0
> <http://0.0.0.0/0> in (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] deleting policy
> 10.254.0.1/32 <http://10.254.0.1/32> === 0.0.0.0/0
> <http://0.0.0.0/0> fwd (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] policy still used by another
> CHILD_SA, not removed
> Apr 24 17:21:43 accel charon: 10[KNL] updating policy
> 10.254.0.1/32 <http://10.254.0.1/32> === 0.0.0.0/0
> <http://0.0.0.0/0> fwd (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] getting a local address in
> traffic selector 0.0.0.0/0 <http://0.0.0.0/0>
> Apr 24 17:21:43 accel charon: 10[KNL] using host %any
> Apr 24 17:21:43 accel charon: 10[KNL] using 10.199.65.193 as
> nexthop to reach 166.170.42.208/32 <http://166.170.42.208/32>
> Apr 24 17:21:43 accel charon: 10[KNL] 10.199.65.236 is on
> interface eth0
> Apr 24 17:21:43 accel charon: 10[KNL] deleting policy 0.0.0.0/0
> <http://0.0.0.0/0> === 10.254.0.1/32 <http://10.254.0.1/32> out
> (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] deleting policy
> 10.254.0.1/32 <http://10.254.0.1/32> === 0.0.0.0/0
> <http://0.0.0.0/0> in (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] deleting policy
> 10.254.0.1/32 <http://10.254.0.1/32> === 0.0.0.0/0
> <http://0.0.0.0/0> fwd (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] getting iface index for eth0
> Apr 24 17:21:43 accel charon: 10[KNL] deleting SAD entry with SPI
> cdc2e52a (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] deleted SAD entry with SPI
> cdc2e52a (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] deleting SAD entry with SPI
> 0d6bbaab (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] deleted SAD entry with SPI
> 0d6bbaab (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[IKE] sending DELETE for ESP
> CHILD_SA with SPI cdc2e52a
> Apr 24 17:21:43 accel rsyslogd-2177: imuxsock begins to drop
> messages from pid 14031 due to rate-limiting
>
> On 4/24/15 10:04 AM, Miroslav Svoboda wrote:
>> This log does not show the information I am looking for.
>> Please move the old logfile away.
>> Please set all loglevels to 2 except "enc". You can do it in file
>> /etc/strongswan/strongswan.d/charon-logging
>> Then start strongswan, connect both phones and send me the whole
>> file.
>>
>> Section filelog of the afore mentioned config file should look
>> like below:
>>
>> filelog {
>>
>> # <filename> is the full path to the log file.
>> /var/log/strongswan.log {
>>
>> # Loglevel for a specific subsystem.
>> # <subsystem> = <default>
>> enc = 1
>> job = 1
>> cfg = 2
>> ike = 2
>> mgr = 2
>> knl = 2
>> chd = 2
>>
>> # If this option is enabled log entries are appended
>> to the existing
>> # file.
>> append = yes
>>
>> # Default loglevel.
>> default = 1
>>
>> # Enabling this option disables block buffering and
>> enables line
>> # buffering.
>> flush_line = yes
>>
>> # Prefix each log entry with the connection name and
>> a unique
>> # numerical identifier for each IKE_SA.
>> ike_name = yes
>>
>> # Prefix each log entry with a timestamp. The option
>> accepts a
>> # format string as passed to strftime(3).
>> time_format = %F %T
>>
>> }
>> }
>>
>> Miroslav Svoboda | +420 608 224 486 <tel:%2B420%20608%20224%20486>
>>
>> On 24 April 2015 at 18:38, Andrew Foss <afoss at actmobile.com
>> <mailto:afoss at actmobile.com>> wrote:
>>
>> Miroslav,
>>
>> Here's the log output, I've added an annotation where the
>> second device connected;
>>
>> Both devices get the addres 10.254.0.1/32 <http://10.254.0.1/32>
>>
>> It seems as if my range 10.254.0.0/16 <http://10.254.0.0/16>
>> is being sent to the client and letting the client pick an
>> address from the range and the clients always pick the same
>> 10.254.0.1, is that how the range works?
>>
>> ****first device connects********
>> Apr 24 16:31:47 accel charon: 15[ENC] insert decrypted
>> payload of type DELETE_V1 at end of list
>> Apr 24 16:31:47 accel charon: 15[ENC] verifying message structure
>> Apr 24 16:31:47 accel charon: 15[ENC] found payload of type
>> DELETE_V1
>> Apr 24 16:31:47 accel charon: 15[ENC] parsed INFORMATIONAL_V1
>> request 35463176 [ HASH D ]
>> Apr 24 16:31:47 accel charon: 15[IKE] received DELETE for
>> IKE_SA ios[6]
>> Apr 24 16:31:47 accel charon: 15[IKE] deleting IKE_SA ios[6]
>> between 10.199.65.236[C=US, ST=California, L=New York,
>> O=Internet Widgits Pty Ltd, OU=ActMobile,
>> CN=ipsec.corp.actmobile.com
>> <http://ipsec.corp.actmobile.com>, E=support at actmobile.com
>> <mailto:E=support at actmobile.com>]...166.170.42.208[C=US,
>> O=strongSwan, CN=IDE-B1DA-3355-4C89-BA98-A580BD513292]
>> Apr 24 16:31:47 accel charon: 15[IKE] IKE_SA ios[6] state
>> change: ESTABLISHED => DELETING
>> Apr 24 16:31:47 accel charon: 15[IKE] IKE_SA ios[6] state
>> change: DELETING => DELETING
>> Apr 24 16:31:47 accel charon: 15[IKE] IKE_SA ios[6] state
>> change: DELETING => DESTROYING
>> Apr 24 16:31:47 accel charon: 15[CFG] lease 10.254.0.1 by
>> 'actmobile' went offline
>> Apr 24 16:33:42 accel charon: 03[NET] received packet: from
>> 166.170.42.208[36359] to 10.199.65.236[500]
>> Apr 24 16:33:42 accel charon: 03[ENC] parsing header of message
>> Apr 24 16:33:42 accel charon: 03[ENC] parsing HEADER payload,
>> 668 bytes left
>> Apr 24 16:33:42 accel charon: 03[ENC] parsing rule 0 IKE_SPI
>> Apr 24 16:33:42 accel charon: 03[ENC] parsing rule 1 IKE_SPI
>> Apr 24 16:33:42 accel charon: 03[ENC] parsing rule 2 U_INT_8
>> Apr 24 16:33:42 accel charon: 03[ENC] parsing rule 3 U_INT_4
>> Apr 24 16:33:42 accel charon: 03[ENC] parsing rule 4 U_INT_4
>> Apr 24 16:33:42 accel charon: 03[ENC] parsing rule 5 U_INT_8
>> Apr 24 16:33:42 accel charon: 03[ENC] parsing rule 6
>> RESERVED_BIT
>> Apr 24 16:33:42 accel charon: 03[ENC] parsing rule 7
>> RESERVED_BIT
>> Apr 24 16:33:42 accel charon: 03[ENC] parsing rule 8 FLAG
>> Apr 24 16:33:42 accel charon: 03[ENC] parsing rule 9 FLAG
>> Apr 24 16:33:42 accel charon: 03[ENC] parsing rule 10 FLAG
>> Apr 24 16:33:42 accel charon: 03[ENC] parsing rule 11 FLAG
>> Apr 24 16:33:42 accel charon: 03[ENC] parsing rule 12 FLAG
>> Apr 24 16:33:42 accel charon: 03[ENC] parsing rule 13 FLAG
>> Apr 24 16:33:42 accel charon: 03[ENC] parsing rule 14 U_INT_32
>> Apr 24 16:33:42 accel charon: 03[ENC] parsing rule 15
>> HEADER_LENGTH
>> Apr 24 16:33:42 accel charon: 03[ENC] parsing HEADER payload
>> finished
>> Apr 24 16:33:42 accel charon: 03[ENC] parsed a ID_PROT
>> message header
>> Apr 24 16:33:42 accel charon: 03[NET] waiting for data on sockets
>> Apr 24 16:33:42 accel charon: 09[NET] received packet: from
>> 166.170.42.208[36359] to 10.199.65.236[500] (668 bytes)
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing body of
>> message, first payload is SECURITY_ASSOCIATION_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] starting parsing a
>> SECURITY_ASSOCIATION_V1 payload
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> SECURITY_ASSOCIATION_V1 payload, 640 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0 U_INT_8
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> RESERVED_BIT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> RESERVED_BIT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3
>> RESERVED_BIT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 4
>> RESERVED_BIT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 5
>> RESERVED_BIT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 6
>> RESERVED_BIT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 7
>> RESERVED_BIT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 8
>> RESERVED_BIT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 9
>> PAYLOAD_LENGTH
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 10 U_INT_32
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 11 U_INT_32
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 12 (1258)
>> Apr 24 16:33:42 accel charon: 09[ENC] 352 bytes left,
>> parsing recursively PROPOSAL_SUBSTRUCTURE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> PROPOSAL_SUBSTRUCTURE_V1 payload, 628 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0 U_INT_8
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> RESERVED_BYTE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> PAYLOAD_LENGTH
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3 U_INT_8
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 4 U_INT_8
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 5 SPI_SIZE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 6 U_INT_8
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 7 SPI
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 8 (1260)
>> Apr 24 16:33:42 accel charon: 09[ENC] 344 bytes left,
>> parsing recursively TRANSFORM_SUBSTRUCTURE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_SUBSTRUCTURE_V1 payload, 620 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0 U_INT_8
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> RESERVED_BYTE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> PAYLOAD_LENGTH
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3 U_INT_8
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 4 U_INT_8
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 5
>> RESERVED_BYTE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 6
>> RESERVED_BYTE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 7 (1262)
>> Apr 24 16:33:42 accel charon: 09[ENC] 28 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 612 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:33:42 accel charon: 09[ENC] 24 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 608 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:33:42 accel charon: 09[ENC] 20 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 604 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:33:42 accel charon: 09[ENC] 16 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 600 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:33:42 accel charon: 09[ENC] 12 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 596 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:33:42 accel charon: 09[ENC] 8 bytes left, parsing
>> recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 592 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:33:42 accel charon: 09[ENC] 4 bytes left, parsing
>> recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 588 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_SUBSTRUCTURE_V1 payload finished
>> Apr 24 16:33:42 accel charon: 09[ENC] 308 bytes left,
>> parsing recursively TRANSFORM_SUBSTRUCTURE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_SUBSTRUCTURE_V1 payload, 584 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0 U_INT_8
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> RESERVED_BYTE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> PAYLOAD_LENGTH
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3 U_INT_8
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 4 U_INT_8
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 5
>> RESERVED_BYTE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 6
>> RESERVED_BYTE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 7 (1262)
>> Apr 24 16:33:42 accel charon: 09[ENC] 28 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 576 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:33:42 accel charon: 09[ENC] 24 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 572 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:33:42 accel charon: 09[ENC] 20 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 568 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:33:42 accel charon: 09[ENC] 16 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 564 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:33:42 accel charon: 09[ENC] 12 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 560 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:33:42 accel charon: 09[ENC] 8 bytes left, parsing
>> recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 556 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:33:42 accel charon: 09[ENC] 4 bytes left, parsing
>> recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 552 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_SUBSTRUCTURE_V1 payload finished
>> Apr 24 16:33:42 accel charon: 09[ENC] 272 bytes left,
>> parsing recursively TRANSFORM_SUBSTRUCTURE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_SUBSTRUCTURE_V1 payload, 548 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0 U_INT_8
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> RESERVED_BYTE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> PAYLOAD_LENGTH
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3 U_INT_8
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 4 U_INT_8
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 5
>> RESERVED_BYTE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 6
>> RESERVED_BYTE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 7 (1262)
>> Apr 24 16:33:42 accel charon: 09[ENC] 28 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 540 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:33:42 accel charon: 09[ENC] 24 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 536 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:33:42 accel charon: 09[ENC] 20 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 532 bytes left
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:33:42 accel charon: 09[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:33:42 accel rsyslogd-2177: imuxsock begins to drop
>> messages from pid 8547 due to rate-limiting
>>
>>
>>
>>
>>
>>
>> Apr 24 16:34:02 accel rsyslogd-2177: imuxsock lost 2784
>> messages from pid 8547 due to rate-limiting
>> Apr 24 16:34:02 accel charon: 07[KNL] querying policy
>> 0.0.0.0/0 <http://0.0.0.0/0> === 10.254.0.1/32
>> <http://10.254.0.1/32> out (mark 0/0x00000000)
>>
>>
>> Apr 24 16:34:08 accel charon: 15[KNL] querying policy
>> 0.0.0.0/0 <http://0.0.0.0/0> === 10.254.0.1/32
>> <http://10.254.0.1/32> out (mark 0/0x00000000)
>> Apr 24 16:34:08 accel charon: 15[IKE] sending keep alive to
>> 166.170.42.208[64139]
>> Apr 24 16:34:08 accel charon: 14[NET] sending packet: from
>> 10.199.65.236[4500] to 166.170.42.208[64139]
>>
>>
>>
>> ****second device connected*****
>>
>>
>>
>>
>> Apr 24 16:34:17 accel charon: 03[NET] received packet: from
>> 50.197.174.157[500] to 10.199.65.236[500]
>> Apr 24 16:34:17 accel charon: 03[ENC] parsing header of message
>> Apr 24 16:34:17 accel charon: 03[ENC] parsing HEADER payload,
>> 668 bytes left
>> Apr 24 16:34:17 accel charon: 03[ENC] parsing rule 0 IKE_SPI
>> Apr 24 16:34:17 accel charon: 03[ENC] parsing rule 1 IKE_SPI
>> Apr 24 16:34:17 accel charon: 03[ENC] parsing rule 2 U_INT_8
>> Apr 24 16:34:17 accel charon: 03[ENC] parsing rule 3 U_INT_4
>> Apr 24 16:34:17 accel charon: 03[ENC] parsing rule 4 U_INT_4
>> Apr 24 16:34:17 accel charon: 03[ENC] parsing rule 5 U_INT_8
>> Apr 24 16:34:17 accel charon: 03[ENC] parsing rule 6
>> RESERVED_BIT
>> Apr 24 16:34:17 accel charon: 03[ENC] parsing rule 7
>> RESERVED_BIT
>> Apr 24 16:34:17 accel charon: 03[ENC] parsing rule 8 FLAG
>> Apr 24 16:34:17 accel charon: 03[ENC] parsing rule 9 FLAG
>> Apr 24 16:34:17 accel charon: 03[ENC] parsing rule 10 FLAG
>> Apr 24 16:34:17 accel charon: 03[ENC] parsing rule 11 FLAG
>> Apr 24 16:34:17 accel charon: 03[ENC] parsing rule 12 FLAG
>> Apr 24 16:34:17 accel charon: 03[ENC] parsing rule 13 FLAG
>> Apr 24 16:34:17 accel charon: 03[ENC] parsing rule 14 U_INT_32
>> Apr 24 16:34:17 accel charon: 03[ENC] parsing rule 15
>> HEADER_LENGTH
>> Apr 24 16:34:17 accel charon: 03[ENC] parsing HEADER payload
>> finished
>> Apr 24 16:34:17 accel charon: 03[ENC] parsed a ID_PROT
>> message header
>> Apr 24 16:34:17 accel charon: 03[NET] waiting for data on sockets
>> Apr 24 16:34:17 accel charon: 16[NET] received packet: from
>> 50.197.174.157[500] to 10.199.65.236[500] (668 bytes)
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing body of
>> message, first payload is SECURITY_ASSOCIATION_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] starting parsing a
>> SECURITY_ASSOCIATION_V1 payload
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> SECURITY_ASSOCIATION_V1 payload, 640 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0 U_INT_8
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> RESERVED_BIT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> RESERVED_BIT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3
>> RESERVED_BIT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 4
>> RESERVED_BIT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 5
>> RESERVED_BIT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 6
>> RESERVED_BIT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 7
>> RESERVED_BIT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 8
>> RESERVED_BIT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 9
>> PAYLOAD_LENGTH
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 10 U_INT_32
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 11 U_INT_32
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 12 (1258)
>> Apr 24 16:34:17 accel charon: 16[ENC] 352 bytes left,
>> parsing recursively PROPOSAL_SUBSTRUCTURE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> PROPOSAL_SUBSTRUCTURE_V1 payload, 628 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0 U_INT_8
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> RESERVED_BYTE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> PAYLOAD_LENGTH
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3 U_INT_8
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 4 U_INT_8
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 5 SPI_SIZE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 6 U_INT_8
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 7 SPI
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 8 (1260)
>> Apr 24 16:34:17 accel charon: 16[ENC] 344 bytes left,
>> parsing recursively TRANSFORM_SUBSTRUCTURE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_SUBSTRUCTURE_V1 payload, 620 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0 U_INT_8
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> RESERVED_BYTE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> PAYLOAD_LENGTH
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3 U_INT_8
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 4 U_INT_8
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 5
>> RESERVED_BYTE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 6
>> RESERVED_BYTE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 7 (1262)
>> Apr 24 16:34:17 accel charon: 16[ENC] 28 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 612 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:34:17 accel charon: 16[ENC] 24 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 608 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:34:17 accel charon: 16[ENC] 20 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 604 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:34:17 accel charon: 16[ENC] 16 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 600 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:34:17 accel charon: 16[ENC] 12 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 596 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:34:17 accel charon: 16[ENC] 8 bytes left, parsing
>> recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 592 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:34:17 accel charon: 16[ENC] 4 bytes left, parsing
>> recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 588 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_SUBSTRUCTURE_V1 payload finished
>> Apr 24 16:34:17 accel charon: 16[ENC] 308 bytes left,
>> parsing recursively TRANSFORM_SUBSTRUCTURE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_SUBSTRUCTURE_V1 payload, 584 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0 U_INT_8
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> RESERVED_BYTE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> PAYLOAD_LENGTH
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3 U_INT_8
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 4 U_INT_8
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 5
>> RESERVED_BYTE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 6
>> RESERVED_BYTE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 7 (1262)
>> Apr 24 16:34:17 accel charon: 16[ENC] 28 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 576 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:34:17 accel charon: 16[ENC] 24 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 572 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:34:17 accel charon: 16[ENC] 20 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 568 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:34:17 accel charon: 16[ENC] 16 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 564 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:34:17 accel charon: 16[ENC] 12 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 560 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:34:17 accel charon: 16[ENC] 8 bytes left, parsing
>> recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 556 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:34:17 accel charon: 16[ENC] 4 bytes left, parsing
>> recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 552 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_SUBSTRUCTURE_V1 payload finished
>> Apr 24 16:34:17 accel charon: 16[ENC] 272 bytes left,
>> parsing recursively TRANSFORM_SUBSTRUCTURE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_SUBSTRUCTURE_V1 payload, 548 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0 U_INT_8
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> RESERVED_BYTE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> PAYLOAD_LENGTH
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3 U_INT_8
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 4 U_INT_8
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 5
>> RESERVED_BYTE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 6
>> RESERVED_BYTE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 7 (1262)
>> Apr 24 16:34:17 accel charon: 16[ENC] 28 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 540 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:34:17 accel charon: 16[ENC] 24 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 536 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload finished
>> Apr 24 16:34:17 accel charon: 16[ENC] 20 bytes left,
>> parsing recursively TRANSFORM_ATTRIBUTE_V1
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing
>> TRANSFORM_ATTRIBUTE_V1 payload, 532 bytes left
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 0
>> ATTRIBUTE_FORMAT
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 1
>> ATTRIBUTE_TYPE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 2
>> ATTRIBUTE_LENGTH_OR_VALUE
>> Apr 24 16:34:17 accel charon: 16[ENC] parsing rule 3
>> ATTRIBUTE_VALUE
>> Apr 24 16:34:17 accel rsyslogd-2177: imuxsock begins to drop
>> messages from pid 8547 due to rate-limiting
>>
>>
>> On 4/24/15 8:49 AM, Miroslav Svoboda wrote:
>>> Hi,
>>> Can you send me the before mentioned logfile with logelevels
>>> set to 2 showing followin scenario?
>>>
>>> 1. restart strongswan
>>> 2. connect first phone and let it connected
>>> 3. as soon as possible connect second phone
>>>
>>> Miroslav Svoboda | +420 608 224 486
>>> <tel:%2B420%20608%20224%20486>
>>>
>>> On 24 April 2015 at 17:22, Andrew Foss <afoss at actmobile.com
>>> <mailto:afoss at actmobile.com>> wrote:
>>>
>>> Miroslav,
>>>
>>> thank you for responding, I believe the second device
>>> connecting is getting the same IP address as the first;
>>>
>>> Here's a log I spit out of updown scripts, both devices
>>> get 10.255.0.1/32 <http://10.255.0.1/32>, the intent it
>>> to have 10.255.0.0/16 <http://10.255.0.0/16> as a pool
>>> of addresses for the connecting devices.
>>>
>>> up-client C=US, O=strongSwan,
>>> CN=IDE-B1DA-3355-4C89-BA98-A580BD513292 bytes in '0'
>>> out '0' packets in '0' out '0'
>>> up-client eth0 0 10.255.0.1/32 <http://10.255.0.1/32>
>>> 10.199.65.236 -m policy --pol ipsec --proto esp --reqid
>>> 7 --dir in
>>> down-client C=US, O=strongSwan,
>>> CN=IDE-B1DA-3355-4C89-BA98-A580BD513292 bytes in '1478'
>>> out '5161' packets in '17' out '14'
>>> up-client C=US, O=strongSwan,
>>> CN=IDE-0DF5-9A4B-47B0-829E-245DDF715C4E bytes in '0'
>>> out '0' packets in '0' out '0'
>>> up-client eth0 0 10.255.0.1/32 <http://10.255.0.1/32>
>>> 10.199.65.236 -m policy --pol ipsec --proto esp --reqid
>>> 8 --dir in
>>> down-client C=US, O=strongSwan,
>>> CN=IDE-0DF5-9A4B-47B0-829E-245DDF715C4E bytes in '3937'
>>> out '9212' packets in '28' out '23'
>>> up-client C=US, O=strongSwan,
>>> CN=IDE-B1DA-3355-4C89-BA98-A580BD513292 bytes in '0'
>>> out '0' packets in '0' out '0'
>>> up-client eth0 0 10.255.0.1/32 <http://10.255.0.1/32>
>>> 10.199.65.236 -m policy --pol ipsec --proto esp --reqid
>>> 9 --dir in
>>>
>>> and the route
>>> ip route list table 220
>>> 10.255.0.1 via 10.199.65.193 dev eth0 proto static
>>>
>>> statusall only shows the first device to connect
>>> Status of IKE charon daemon (strongSwan 5.3.0, Linux
>>> 3.2.0-54-virtual, x86_64):
>>> uptime: 18 minutes, since Apr 24 15:04:24 2015
>>> malloc: sbrk 2555904, mmap 0, used 473168, free 2082736
>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job
>>> queue: 0/0/0/0, scheduled: 23
>>> loaded plugins: charon aes des rc2 sha1 sha2 md5
>>> random nonce x509 revocation constraints pubkey pkcs1
>>> pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp
>>> xcbc cmac hmac curl attr kernel-netlink resolve
>>> socket-default stroke updown xauth-generic
>>> Virtual IP pools (size/online/offline):
>>> 10.255.0.0/16 <http://10.255.0.0/16>: 65534/1/0
>>> Listening IP addresses:
>>> 10.199.65.236
>>> 10.0.0.116
>>> 10.0.1.10
>>> 10.0.1.12
>>> 10.0.0.242
>>> 10.0.0.120
>>> 10.0.0.122
>>> 10.0.0.238
>>> Connections:
>>> ios: %any,0.0.0.0/0,::/0...%any
>>> <http://0.0.0.0/0,::/0...%any> IKEv1
>>> ios: local: [C=US, ST=California, L=New
>>> York, O=Internet Widgits Pty Ltd, OU=ActMobile,
>>> CN=ipsec.corp.actmobile.com
>>> <http://ipsec.corp.actmobile.com>,
>>> E=support at actmobile.com
>>> <mailto:E=support at actmobile.com>] uses public key
>>> authentication
>>> ios: cert: "C=US, ST=California, L=New
>>> York, O=Internet Widgits Pty Ltd, OU=ActMobile,
>>> CN=ipsec.corp.actmobile.com
>>> <http://ipsec.corp.actmobile.com>,
>>> E=support at actmobile.com <mailto:E=support at actmobile.com>"
>>> ios: remote: uses public key authentication
>>> ios: remote: uses XAuth authentication: any
>>> ios: child: 0.0.0.0/0 <http://0.0.0.0/0> ===
>>> dynamic TUNNEL
>>> Security Associations (1 up, 0 connecting):
>>> ios[12]: ESTABLISHED 2 minutes ago,
>>> 10.199.65.236[C=US, ST=California, L=New York,
>>> O=Internet Widgits Pty Ltd, OU=ActMobile,
>>> CN=ipsec.corp.actmobile.com
>>> <http://ipsec.corp.actmobile.com>,
>>> E=support at actmobile.com
>>> <mailto:E=support at actmobile.com>]...166.170.42.208[C=US,
>>> O=strongSwan, CN=IDE-B1DA-3355-4C89-BA98-A580BD513292]
>>> ios[12]: Remote XAuth identity: actmobile
>>> ios[12]: IKEv1 SPIs: 387433cc7c4e0cf7_i
>>> b7f0e6ff754ca158_r*, public key reauthentication in 2 hours
>>> ios[12]: IKE proposal:
>>> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>>> ios{11}: INSTALLED, TUNNEL, reqid 11, ESP in
>>> UDP SPIs: cca21352_i 0ef3c1ab_o
>>> ios{11}: AES_CBC_128/HMAC_SHA1_96, 1534 bytes_i
>>> (18 pkts, 104s ago), 5393 bytes_o (15 pkts, 104s ago),
>>> rekeying in 23 hours
>>> ios{11}: 0.0.0.0/0 <http://0.0.0.0/0> ===
>>> 10.255.0.1/32 <http://10.255.0.1/32>
>>>
>>> Here's the conn from ipsec.conf, do I really need to
>>> setup a dhcp service instead?
>>>
>>> conn ios
>>> keyexchange=ikev1
>>> authby=xauthrsasig
>>> xauth=server
>>> left=%any
>>> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>>> leftsourceip = %modeconfig
>>> leftallowany = yes
>>> lefthostaccess=yes
>>> leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown
>>>
>>> leftcert=serverCert.pem
>>> right=%any
>>> rightsourceip=10.255.0.0/16 <http://10.255.0.0/16>
>>>
>>> rightfirewall=yes
>>> righthostaccess=yes
>>> auto=start
>>> rekey=yes
>>> fragmentation=yes
>>> lifetime=24h
>>> dpddelay=0
>>> dpdtimeout=24h
>>>
>>> On 4/24/15 12:51 AM, Miroslav Svoboda wrote:
>>>> Please can you provide:
>>>> - log with default loglevel set to 2, showing start of
>>>> both iPhones connection
>>>> - output of command "strongswan statusall" at the time
>>>> both iphone are connected
>>>> - route table and iptables rules (tables filter, nat,
>>>> mangle)
>>>>
>>>> I believe this question would be next time better fit
>>>> for users list and even might get answered quicker there.
>>>>
>>>> Miroslav
>>>>
>>>> On Thursday, April 23, 2015 at 4:40:15 PM UTC+2, Andrew
>>>> Foss wrote:
>>>>
>>>> I am bringing up an ipsec server for our ios users
>>>> and suspect my "left"
>>>> parameters aren't quite right, but so far my
>>>> changes have made it not
>>>> work at all and I am not fully understanding the
>>>> descriptions. I am
>>>> running 5.3.0, our ifupdown scripts open iptables
>>>> rules to allow access
>>>> to dns and the servers.
>>>>
>>>> What is see is first device on a network connects
>>>> and works fine. Second
>>>> device connects and neither works, second device
>>>> gets disconnected, as
>>>> if the routing/nat handling is sending packets down
>>>> the wrong tunnel.
>>>>
>>>> Here's my config, I suspect leftsubnet should be
>>>> 0/0, these are just
>>>> devices connecting for themselves, not another vpn
>>>> gateway connecting a
>>>> network. Any pointers?
>>>>
>>>> conn ios
>>>> keyexchange=ikev1
>>>> #esp=null-sha1!
>>>> authby=xauthrsasig
>>>> xauth=server
>>>> left=%defaultroute
>>>> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>>>> #leftsubnet=10.66.0.0/16 <http://10.66.0.0/16>
>>>> #leftfirewall=yes
>>>> leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown
>>>>
>>>> leftcert=serverCert.pem
>>>> right=%any
>>>> rightsourceip=10.0.0.0/16 <http://10.0.0.0/16>
>>>> #rightsourceip=10.100.255.0/28
>>>> <http://10.100.255.0/28>
>>>> #rightcert=clientCert.pem
>>>> #pfs=no
>>>> auto=start
>>>> rekey=yes
>>>> fragmentation=yes
>>>> lifetime=24h
>>>> dpddelay=0
>>>> dpdtimeout=24h
>>>> actmobile at accel:~-u
>>>>
>>>> thanks,
>>>> andrew
>>>> _______________________________________________
>>>> Dev mailing list
>>>> Dev at lists.strongswan.org
>>>> <mailto:Dev at lists.strongswan.org>
>>>> https://lists.strongswan.org/mailman/listinfo/dev
>>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150424/d38b2195/attachment-0001.html>
More information about the Users
mailing list