[strongSwan] ikev1 cisco l2l issue

Tormod Macleod tormod.macleod at gmail.com
Wed Aug 19 15:26:20 CEST 2015


Hello,

I'm having issues with an ikve1 l2l vpn connection between a strongswan
instance behind a nat and a cisco asa. I have this problem in live and have
been able to recreate it in a test environment.

After 75% of the phase 1 lifetime the cisco asa decides to initiate a rekey
of the tunnel. ie when I set the phase 1 lifetime to 8 hours, the cisco asa
initiates a rekey after 6 hours, when i set the phase 1 lifetime to 1 hour,
the cisco asa initiates a rekey after 45 minutes.

The phase 1 rekey is immediately successful but the tunnel is torn down by
DPD on the cisco asa around 15 seconds later. It looks to me like a problem
with the cisco asa as I understood that the initiator (in this case the
strongswan instance) should be the one that initiates the rekey. And even
then, it shouldn't rekey until the phase 1 lifetime is expiring. I thought
I'd mail my problem to this list in the hope that someone might offer some
advice. Hopefully I'm just doing something stupid.

I've attached loads of config, logs, packet captures etc. (probably
overkill). Please note that some clocks are GMT, others are BST.

Grateful for ANY help,


Tormod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150819/12ad034e/attachment-0001.html>
-------------- next part --------------
ciscoasa# sh running-config
interface GigabitEthernet0
 nameif OUTSIDE
 security-level 0
 ip address 2.2.2.2 255.255.255.0
!
interface GigabitEthernet1
 nameif DMZ
 security-level 100
 ip address 10.4.0.2 255.255.255.0
!
access-list VPN-ACL extended permit ip 10.4.0.0 255.254.0.0 172.16.10.0 255.255.255.0
access-list other-VPN-ACL extended permit ip 10.4.0.0 255.254.0.0 192.168.0.0 255.255.0.0
access-list other-VPN-ACL extended permit ip 192.168.31.0 255.255.255.0 192.168.0.0 255.255.0.0
route OUTSIDE 0.0.0.0 0.0.0.0 2.2.2.1 1
crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal my-proposal
 protocol esp encryption aes
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ikev2proposal
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto map mymap 1 match address other-VPN-ACL
crypto map mymap 1 set peer 9.9.9.9
crypto map mymap 1 set ikev2 ipsec-proposal my-proposal
crypto map mymap 2 match address VPN-ACL
crypto map mymap 2 set peer 1.1.1.1
crypto map mymap 2 set ikev1 transform-set ESP-AES256-SHA
crypto map mymap 2 set security-association lifetime seconds 3600
crypto map mymap interface OUTSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 25
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 3600
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold 10 retry 3
ciscoasa#
-------------- next part --------------
Aug 19 12:03:50 ciscoasa : %ASA-6-302016: Teardown UDP connection 935 for DMZ:10.4.0.10/514 to identity:10.4.0.2/514 duration 0:02:01 bytes 318
Aug 19 12:03:50 ciscoasa : %ASA-6-302015: Built outbound UDP connection 936 for DMZ:10.4.0.10/514 (10.4.0.10/514) to identity:10.4.0.2/514 (10.4.0.2/514)
Aug 19 12:05:51 ciscoasa : %ASA-6-302016: Teardown UDP connection 936 for DMZ:10.4.0.10/514 to identity:10.4.0.2/514 duration 0:02:01 bytes 318
Aug 19 12:05:51 ciscoasa : %ASA-6-302015: Built outbound UDP connection 937 for DMZ:10.4.0.10/514 (10.4.0.10/514) to identity:10.4.0.2/514 (10.4.0.2/514)
Aug 19 12:07:52 ciscoasa : %ASA-6-302016: Teardown UDP connection 937 for DMZ:10.4.0.10/514 to identity:10.4.0.2/514 duration 0:02:01 bytes 318
Aug 19 12:07:52 ciscoasa : %ASA-6-302015: Built outbound UDP connection 938 for DMZ:10.4.0.10/514 (10.4.0.10/514) to identity:10.4.0.2/514 (10.4.0.2/514)
Aug 19 12:09:05 ciscoasa : %ASA-6-302010: 2 in use, 4 most used
Aug 19 12:11:07 ciscoasa : %ASA-6-302016: Teardown UDP connection 938 for DMZ:10.4.0.10/514 to identity:10.4.0.2/514 duration 0:03:14 bytes 392
Aug 19 12:11:07 ciscoasa : %ASA-6-302015: Built outbound UDP connection 939 for DMZ:10.4.0.10/514 (10.4.0.10/514) to identity:10.4.0.2/514 (10.4.0.2/514)
Aug 19 12:13:08 ciscoasa : %ASA-6-302016: Teardown UDP connection 939 for DMZ:10.4.0.10/514 to identity:10.4.0.2/514 duration 0:02:01 bytes 318
Aug 19 12:13:08 ciscoasa : %ASA-6-302015: Built outbound UDP connection 940 for DMZ:10.4.0.10/514 (10.4.0.10/514) to identity:10.4.0.2/514 (10.4.0.2/514)
Aug 19 12:15:11 ciscoasa : %ASA-6-302016: Teardown UDP connection 940 for DMZ:10.4.0.10/514 to identity:10.4.0.2/514 duration 0:02:02 bytes 318
Aug 19 12:15:11 ciscoasa : %ASA-6-302015: Built outbound UDP connection 941 for DMZ:10.4.0.10/514 (10.4.0.10/514) to identity:10.4.0.2/514 (10.4.0.2/514)
Aug 19 12:17:12 ciscoasa : %ASA-6-302016: Teardown UDP connection 941 for DMZ:10.4.0.10/514 to identity:10.4.0.2/514 duration 0:02:01 bytes 318
Aug 19 12:17:12 ciscoasa : %ASA-6-302015: Built outbound UDP connection 942 for DMZ:10.4.0.10/514 (10.4.0.10/514) to identity:10.4.0.2/514 (10.4.0.2/514)
Aug 19 12:19:06 ciscoasa : %ASA-6-302010: 2 in use, 4 most used
Aug 19 12:21:07 ciscoasa : %ASA-6-302016: Teardown UDP connection 942 for DMZ:10.4.0.10/514 to identity:10.4.0.2/514 duration 0:03:55 bytes 392
Aug 19 12:21:07 ciscoasa : %ASA-6-302015: Built outbound UDP connection 943 for DMZ:10.4.0.10/514 (10.4.0.10/514) to identity:10.4.0.2/514 (10.4.0.2/514)
Aug 19 12:23:09 ciscoasa : %ASA-6-302016: Teardown UDP connection 943 for DMZ:10.4.0.10/514 to identity:10.4.0.2/514 duration 0:02:01 bytes 318
Aug 19 12:23:09 ciscoasa : %ASA-6-302015: Built outbound UDP connection 944 for DMZ:10.4.0.10/514 (10.4.0.10/514) to identity:10.4.0.2/514 (10.4.0.2/514)
Aug 19 12:25:11 ciscoasa : %ASA-6-302016: Teardown UDP connection 944 for DMZ:10.4.0.10/514 to identity:10.4.0.2/514 duration 0:02:01 bytes 318
Aug 19 12:25:11 ciscoasa : %ASA-6-302015: Built outbound UDP connection 945 for DMZ:10.4.0.10/514 (10.4.0.10/514) to identity:10.4.0.2/514 (10.4.0.2/514)
Aug 19 12:26:46 ciscoasa : %ASA-5-713041: IP = 1.1.1.1, IKE Initiator: Rekeying Phase 1, Intf OUTSIDE, IKE Peer 1.1.1.1  local Proxy Address 0.0.0.0, remote Proxy Address 0.0.0.0,  Crypto map (N/A)
Aug 19 12:26:47 ciscoasa : %ASA-6-713172: Group = 1.1.1.1, IP = 1.1.1.1, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
Aug 19 12:26:47 ciscoasa : %ASA-5-713119: Group = 1.1.1.1, IP = 1.1.1.1, PHASE 1 COMPLETED
Aug 19 12:27:02 ciscoasa : %ASA-3-713123: Group = 1.1.1.1, IP = 1.1.1.1, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Aug 19 12:27:02 ciscoasa : %ASA-4-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC0B1A316) between 2.2.2.2 and 1.1.1.1 (user= 1.1.1.1) has been deleted.
Aug 19 12:27:02 ciscoasa : %ASA-4-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x36FD024B) between 1.1.1.1 and 2.2.2.2 (user= 1.1.1.1) has been deleted.
Aug 19 12:27:02 ciscoasa : %ASA-5-713259: Group = 1.1.1.1, IP = 1.1.1.1, Session is being torn down. Reason: Lost Service
Aug 19 12:27:02 ciscoasa : %ASA-4-113019: Group = 1.1.1.1, Username = 1.1.1.1, IP = 1.1.1.1, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:45m:16s, Bytes xmt: 0, Bytes rcv: 0, Reason: Lost Service
-------------- next part --------------
A non-text attachment was scrubbed...
Name: packet-capture.pcapng
Type: application/octet-stream
Size: 23040 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150819/12ad034e/attachment-0001.obj>
-------------- next part --------------
[root at localhost ~]# cat /opt/strongswan530/etc/ipsec.conf
conn %default
        ikelifetime=60m
        margintime=3m
        keyingtries=0
        authby=secret
        left=10.197.0.8
        leftid=1.1.1.1
        auto=start
        reauth=no
        dpdaction=hold
        dpddelay=40
        closeaction=hold

conn remote-site
        keylife=60m
        keyexchange=ikev1
        ike=aes256-sha1-modp1024
        esp=aes256-sha1
        leftsubnet=172.16.10.0/24
        right=2.2.2.2
        rightsubnet=10.4.0.0/15
        rightid=2.2.2.2
        dpdtimeout=10s
        dpddelay=10s
[root at localhost ~]# cat /opt/strongswan530/etc/strongswan.conf 
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
# See https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission for details of retransmit settings

charon {
        load_modular = yes

        retransmit_base = 1.0
        retransmit_timeout = 5.0
        retransmit_tries = 6

        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf
[root at A00089-CentOS6-1 ~]# 
-------------- next part --------------
Aug 19 13:25:46 localhost charon: 12[IKE] sending DPD request
Aug 19 13:25:46 localhost charon: 12[ENC] generating INFORMATIONAL_V1 request 898912816 [ HASH N(DPD) ]
Aug 19 13:25:46 localhost charon: 12[NET] sending packet: from 10.197.0.8[4500] to 2.2.2.2[4500] (92 bytes)
Aug 19 13:25:46 localhost charon: 11[NET] received packet: from 2.2.2.2[4500] to 10.197.0.8[4500] (92 bytes)
Aug 19 13:25:46 localhost charon: 11[ENC] parsed INFORMATIONAL_V1 request 1131371570 [ HASH N(DPD_ACK) ]
Aug 19 13:25:47 localhost charon: 01[NET] received packet: from 2.2.2.2[4500] to 10.197.0.8[4500] (92 bytes)
Aug 19 13:25:47 localhost charon: 01[ENC] parsed INFORMATIONAL_V1 request 1700860207 [ HASH N(DPD) ]
Aug 19 13:25:47 localhost charon: 01[ENC] generating INFORMATIONAL_V1 request 2982840994 [ HASH N(DPD_ACK) ]
Aug 19 13:25:47 localhost charon: 01[NET] sending packet: from 10.197.0.8[4500] to 2.2.2.2[4500] (92 bytes)
Aug 19 13:25:57 localhost charon: 03[IKE] sending DPD request
Aug 19 13:25:57 localhost charon: 03[ENC] generating INFORMATIONAL_V1 request 1356270881 [ HASH N(DPD) ]
Aug 19 13:25:57 localhost charon: 03[NET] sending packet: from 10.197.0.8[4500] to 2.2.2.2[4500] (92 bytes)
Aug 19 13:25:57 localhost charon: 09[NET] received packet: from 2.2.2.2[4500] to 10.197.0.8[4500] (92 bytes)
Aug 19 13:25:57 localhost charon: 09[ENC] parsed INFORMATIONAL_V1 request 3001155075 [ HASH N(DPD_ACK) ]
Aug 19 13:26:08 localhost charon: 14[IKE] sending DPD request
Aug 19 13:26:08 localhost charon: 14[ENC] generating INFORMATIONAL_V1 request 4078997030 [ HASH N(DPD) ]
Aug 19 13:26:08 localhost charon: 14[NET] sending packet: from 10.197.0.8[4500] to 2.2.2.2[4500] (92 bytes)
Aug 19 13:26:08 localhost charon: 10[NET] received packet: from 2.2.2.2[4500] to 10.197.0.8[4500] (92 bytes)
Aug 19 13:26:08 localhost charon: 10[ENC] parsed INFORMATIONAL_V1 request 1459254534 [ HASH N(DPD_ACK) ]
Aug 19 13:26:19 localhost charon: 16[IKE] sending DPD request
Aug 19 13:26:19 localhost charon: 16[ENC] generating INFORMATIONAL_V1 request 2794961192 [ HASH N(DPD) ]
Aug 19 13:26:19 localhost charon: 16[NET] sending packet: from 10.197.0.8[4500] to 2.2.2.2[4500] (92 bytes)
Aug 19 13:26:19 localhost charon: 03[NET] received packet: from 2.2.2.2[4500] to 10.197.0.8[4500] (92 bytes)
Aug 19 13:26:19 localhost charon: 03[ENC] parsed INFORMATIONAL_V1 request 1060278529 [ HASH N(DPD_ACK) ]
Aug 19 13:26:30 localhost charon: 01[IKE] sending DPD request
Aug 19 13:26:30 localhost charon: 01[ENC] generating INFORMATIONAL_V1 request 3054563672 [ HASH N(DPD) ]
Aug 19 13:26:30 localhost charon: 01[NET] sending packet: from 10.197.0.8[4500] to 2.2.2.2[4500] (92 bytes)
Aug 19 13:26:30 localhost charon: 08[NET] received packet: from 2.2.2.2[4500] to 10.197.0.8[4500] (92 bytes)
Aug 19 13:26:30 localhost charon: 08[ENC] parsed INFORMATIONAL_V1 request 3693628516 [ HASH N(DPD_ACK) ]
Aug 19 13:26:41 localhost charon: 13[IKE] sending DPD request
Aug 19 13:26:41 localhost charon: 13[ENC] generating INFORMATIONAL_V1 request 1837283511 [ HASH N(DPD) ]
Aug 19 13:26:41 localhost charon: 13[NET] sending packet: from 10.197.0.8[4500] to 2.2.2.2[4500] (92 bytes)
Aug 19 13:26:41 localhost charon: 12[NET] received packet: from 2.2.2.2[4500] to 10.197.0.8[4500] (92 bytes)
Aug 19 13:26:41 localhost charon: 12[ENC] parsed INFORMATIONAL_V1 request 3280345319 [ HASH N(DPD_ACK) ]
Aug 19 13:26:50 localhost charon: 13[NET] received packet: from 2.2.2.2[4500] to 10.197.0.8[4500] (172 bytes)
Aug 19 13:26:50 localhost charon: 13[ENC] parsed ID_PROT request 0 [ SA V V V V ]
Aug 19 13:26:50 localhost charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 19 13:26:50 localhost charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Aug 19 13:26:50 localhost charon: 13[IKE] received NAT-T (RFC 3947) vendor ID
Aug 19 13:26:50 localhost charon: 13[IKE] received FRAGMENTATION vendor ID
Aug 19 13:26:50 localhost charon: 13[IKE] 2.2.2.2 is initiating a Main Mode IKE_SA
Aug 19 13:26:50 localhost charon: 13[ENC] generating ID_PROT response 0 [ SA V V V ]
Aug 19 13:26:50 localhost charon: 13[NET] sending packet: from 10.197.0.8[4500] to 2.2.2.2[4500] (136 bytes)
Aug 19 13:26:50 localhost charon: 16[NET] received packet: from 2.2.2.2[4500] to 10.197.0.8[4500] (304 bytes)
Aug 19 13:26:50 localhost charon: 16[ENC] parsed ID_PROT request 0 [ KE No V V V V NAT-D NAT-D ]
Aug 19 13:26:50 localhost charon: 16[IKE] received Cisco Unity vendor ID
Aug 19 13:26:50 localhost charon: 16[IKE] received XAuth vendor ID
Aug 19 13:26:50 localhost charon: 16[ENC] received unknown vendor ID: fc:f3:90:81:87:1e:6d:61:df:6a:5b:2d:a7:e4:fc:88
Aug 19 13:26:50 localhost charon: 16[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
Aug 19 13:26:50 localhost charon: 16[IKE] local host is behind NAT, sending keep alives
Aug 19 13:26:50 localhost charon: 16[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Aug 19 13:26:50 localhost charon: 16[NET] sending packet: from 10.197.0.8[4500] to 2.2.2.2[4500] (244 bytes)
Aug 19 13:26:51 localhost charon: 14[NET] received packet: from 2.2.2.2[4500] to 10.197.0.8[4500] (92 bytes)
Aug 19 13:26:51 localhost charon: 14[ENC] parsed ID_PROT request 0 [ ID HASH V ]
Aug 19 13:26:51 localhost charon: 14[IKE] received DPD vendor ID
Aug 19 13:26:51 localhost charon: 14[CFG] looking for pre-shared key peer configs matching 10.197.0.8...2.2.2.2[2.2.2.2]
Aug 19 13:26:51 localhost charon: 14[CFG] selected peer config "remote-site"
Aug 19 13:26:51 localhost charon: 14[IKE] detected reauth of existing IKE_SA, adopting 1 children and 0 virtual IPs
Aug 19 13:26:51 localhost charon: 14[IKE] IKE_SA remote-site[2] established between 10.197.0.8[1.1.1.1]...2.2.2.2[2.2.2.2]
Aug 19 13:26:51 localhost charon: 14[IKE] scheduling rekeying in 3311s
Aug 19 13:26:51 localhost charon: 14[IKE] maximum IKE_SA lifetime 3491s
Aug 19 13:26:51 localhost charon: 14[ENC] generating ID_PROT response 0 [ ID HASH ]
Aug 19 13:26:51 localhost charon: 14[NET] sending packet: from 10.197.0.8[4500] to 2.2.2.2[4500] (76 bytes)
Aug 19 13:27:01 localhost charon: 03[IKE] sending DPD request
Aug 19 13:27:01 localhost charon: 03[ENC] generating INFORMATIONAL_V1 request 1136460660 [ HASH N(DPD) ]
Aug 19 13:27:01 localhost charon: 03[NET] sending packet: from 10.197.0.8[4500] to 2.2.2.2[4500] (92 bytes)
Aug 19 13:27:01 localhost charon: 09[NET] received packet: from 2.2.2.2[4500] to 10.197.0.8[4500] (92 bytes)
Aug 19 13:27:01 localhost charon: 09[ENC] parsed INFORMATIONAL_V1 request 1927975612 [ HASH N(DPD_ACK) ]
Aug 19 13:27:06 localhost charon: 02[NET] received packet: from 2.2.2.2[4500] to 10.197.0.8[4500] (92 bytes)
Aug 19 13:27:06 localhost charon: 02[ENC] parsed INFORMATIONAL_V1 request 408457742 [ HASH D ]
Aug 19 13:27:06 localhost charon: 02[IKE] received DELETE for IKE_SA remote-site[2]
Aug 19 13:27:06 localhost charon: 02[IKE] deleting IKE_SA remote-site[2] between 10.197.0.8[1.1.1.1]...2.2.2.2[2.2.2.2]
Aug 19 13:27:46 localhost kernel: device eth0 left promiscuous mode
-------------- next part --------------
----------
Wed Aug 19 13:19:46 BST 2015
Status of IKE charon daemon (strongSwan 5.3.0, Linux 2.6.32-504.12.2.el6.x86_64, x86_64):
  uptime: 37 minutes, since Aug 19 12:41:50 2015
  malloc: sbrk 270336, mmap 0, used 218000, free 52336
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gm
p xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity
Listening IP addresses:
  10.197.0.8
Connections:
 remote-site:  10.197.0.8...2.2.2.2  IKEv1, dpddelay=10s
 remote-site:   local:  [1.1.1.1] uses pre-shared key authentication
 remote-site:   remote: [2.2.2.2] uses pre-shared key authentication
 remote-site:   child:  172.16.10.0/24 === 10.4.0.0/15 TUNNEL, dpdaction=hold
Security Associations (1 up, 0 connecting):
 remote-site[1]: ESTABLISHED 37 minutes ago, 10.197.0.8[1.1.1.1]...2.2.2.2[2.2.2.2]
 remote-site[1]: IKEv1 SPIs: 1ddbad4803b9c589_i* ccf9bf34bb612aaf_r, rekeying in 16 minutes
 remote-site[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
 remote-site{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c0b1a316_i 36fd024b_o
 remote-site{1}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 17 minutes
 remote-site{1}:   172.16.10.0/24 === 10.4.0.0/15 
----------
Wed Aug 19 13:26:51 BST 2015
Status of IKE charon daemon (strongSwan 5.3.0, Linux 2.6.32-504.12.2.el6.x86_64, x86_64):
  uptime: 45 minutes, since Aug 19 12:41:49 2015
  malloc: sbrk 270336, mmap 0, used 218752, free 51584
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 9
  loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity
Listening IP addresses:
  10.197.0.8
Connections:
 remote-site:  10.197.0.8...2.2.2.2  IKEv1, dpddelay=10s
 remote-site:   local:  [1.1.1.1] uses pre-shared key authentication
 remote-site:   remote: [2.2.2.2] uses pre-shared key authentication
 remote-site:   child:  172.16.10.0/24 === 10.4.0.0/15 TUNNEL, dpdaction=hold
Security Associations (1 up, 0 connecting):
 remote-site[2]: ESTABLISHED 1 second ago, 10.197.0.8[1.1.1.1]...2.2.2.2[2.2.2.2]
 remote-site[2]: IKEv1 SPIs: 616d1f879c373409_i fcc25355680e4d70_r*, rekeying in 55 minutes
 remote-site[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
 remote-site{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c0b1a316_i 36fd024b_o
 remote-site{1}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 10 minutes
 remote-site{1}:   172.16.10.0/24 === 10.4.0.0/15 
----------
Wed Aug 19 13:27:08 BST 2015
Status of IKE charon daemon (strongSwan 5.3.0, Linux 2.6.32-504.12.2.el6.x86_64, x86_64):
  uptime: 45 minutes, since Aug 19 12:41:50 2015
  malloc: sbrk 270336, mmap 0, used 213856, free 56480
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8
  loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity
Listening IP addresses:
  10.197.0.8
Connections:
 remote-site:  10.197.0.8...2.2.2.2  IKEv1, dpddelay=10s
 remote-site:   local:  [1.1.1.1] uses pre-shared key authentication
 remote-site:   remote: [2.2.2.2] uses pre-shared key authentication
 remote-site:   child:  172.16.10.0/24 === 10.4.0.0/15 TUNNEL, dpdaction=hold
Routed Connections:
 remote-site{2}:  ROUTED, TUNNEL, reqid 1
 remote-site{2}:   172.16.10.0/24 === 10.4.0.0/15 
Security Associations (0 up, 0 connecting):
  none


More information about the Users mailing list