[strongSwan] Problem with rekey collisions
andreas.braun at bagus.de
andreas.braun at bagus.de
Tue Feb 17 11:35:56 CET 2015
Hallo again,
I have tried to work around the rekey collision problem by setting 1 hour IPsec lifetime on one side and 2 hours on the other side - as Martin Willi suggested.
> Also you can use a shorter rekey time on one end, so rekeying is
> guaranteed to get initiated by the same end only. This should make it
> impossible that a collision happens if the options are chosen
> carefully.
Unfortunately, we now hit another problem: Collisions are gone, but every few days soon after midnight IPsec connections fail - four times already. Network is not the problem. I hope I chose the options carefully enough:
Config in Essen
---------------
version 2
conn %default
keyingtries=%forever
include /etc/ipsec.user.conf (empty)
conn VpnEssenFrankfurt
left=xxx.xxx.xxx.178
leftsubnet=192.168.241.0/24
leftfirewall=yes
lefthostaccess=yes
right=xxx.xxx.xxx.254
rightsubnet=10.2.34.0/24
leftid="xxx.xxx.xxx.178"
rightid="xxx.xxx.xxx.254"
ike=aes128-sha-modp2048,aes128-sha-modp1536,aes128-sha-modp1024
esp=aes128-sha1-modp2048,aes128-sha1-modp1536,aes128-sha1-modp1024
keyexchange=ikev2
ikelifetime=8h
keylife=1h
compress=yes
dpdaction=restart
dpddelay=120
dpdtimeout=30
authby=secret
auto=start
Config in Frankfurt
-------------------
version 2
conn %default
keyingtries=%forever
include /etc/ipsec.user.conf (empty)
conn VpnFrankfurtEssen
left=xxx.xxx.xxx.254
leftsubnet=10.2.34.0/24
leftfirewall=yes
lefthostaccess=yes
right=xxx.xxx.xxx.178
rightsubnet=192.168.241.0/24
leftid="xxx.xxx.xxx.254"
rightid="xxx.xxx.xxx.178"
ike=aes128-sha-modp2048,aes128-sha-modp1536,aes128-sha-modp1024
esp=aes128-sha1-modp2048,aes128-sha1-modp1536,aes128-sha1-modp1024
keyexchange=ikev2
ikelifetime=8h
keylife=2h
compress=yes
dpdaction=restart
dpddelay=120
dpdtimeout=30
authby=secret
auto=start
IPsec lifetime in hours by location
-----------------------------------
LOC1 1:2 LOC2
1:2 LOC3
1:2 LOC4
LOC2 2:1 LOC1
1:2 LOC3
1:2 LOC4
LOC3 2:1 LOC1
2:1 LOC2
1:2 LOC4
LOC4 2:1 LOC1
2:1 LOC2
2:1 LOC3
Log entries from our device in Essen
------------------------------------
00:04:37 charon: 04[KNL] creating rekey job for ESP CHILD_SA with SPI c3934b0a and reqid {277}
00:04:37 charon: 04[MGR] checkout IKE_SA by ID
00:04:37 charon: 04[MGR] checkout IKE_SA by ID
00:04:37 charon: 04[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:04:37 charon: 04[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:04:37 charon: 04[IKE] queueing CHILD_REKEY task
00:04:37 charon: 04[IKE] queueing CHILD_REKEY task
00:04:37 charon: 04[IKE] activating new tasks
00:04:37 charon: 04[IKE] activating new tasks
00:04:37 charon: 04[IKE] activating CHILD_REKEY task
00:04:37 charon: 04[IKE] activating CHILD_REKEY task
00:04:37 charon: 04[IKE] establishing CHILD_SA VpnEssenFrankfurt{277}
00:04:37 charon: 04[IKE] establishing CHILD_SA VpnEssenFrankfurt{277}
00:04:37 charon: 04[ENC] generating CREATE_CHILD_SA request 6 [ N(REKEY_SA) N(IPCOMP_SUP) SA No KE TSi TSr ]
00:04:37 charon: 04[NET] sending packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.254[4500] (684 bytes)
00:04:37 charon: 04[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:04:37 charon: 04[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:04:37 charon: 04[MGR] check-in of IKE_SA successful.
00:04:37 charon: 04[MGR] check-in of IKE_SA successful.
00:04:38 charon: 14[MGR] checkout IKE_SA by message
00:04:38 charon: 14[MGR] checkout IKE_SA by message
00:04:38 charon: 14[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:04:38 charon: 14[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:04:38 charon: 14[NET] received packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.178[4500] (476 bytes)
00:04:38 charon: 14[ENC] parsed CREATE_CHILD_SA response 6 [ N(IPCOMP_SUP) SA No KE TSi TSr ]
00:04:38 charon: 14[IKE] received IPCOMP_SUPPORTED notify
00:04:38 charon: 14[IKE] received IPCOMP_SUPPORTED notify
00:04:38 charon: 14[CHD] using AES_CBC for encryption
00:04:38 charon: 14[CHD] using AES_CBC for encryption
00:04:38 charon: 14[CHD] using HMAC_SHA1_96 for integrity
00:04:38 charon: 14[CHD] using HMAC_SHA1_96 for integrity
00:04:38 charon: 14[CHD] adding inbound ESP SA
00:04:38 charon: 14[CHD] adding inbound ESP SA
00:04:38 charon: 14[CHD] SPI 0xc7f0b970, src xxx.xxx.xxx.254 dst xxx.xxx.xxx.178
00:04:38 charon: 14[CHD] SPI 0xc7f0b970, src xxx.xxx.xxx.254 dst xxx.xxx.xxx.178
00:04:38 charon: 14[CHD] adding outbound ESP SA
00:04:38 charon: 14[CHD] adding outbound ESP SA
00:04:38 charon: 14[CHD] SPI 0xceea1f93, src xxx.xxx.xxx.178 dst xxx.xxx.xxx.254
00:04:38 charon: 14[CHD] SPI 0xceea1f93, src xxx.xxx.xxx.178 dst xxx.xxx.xxx.254
00:04:38 charon: 14[IKE] CHILD_SA VpnEssenFrankfurt{277} established with SPIs c7f0b970_i ceea1f93_o and TS 192.168.241.0/24 === 10.2.34.0/24
00:04:38 charon: 14[IKE] CHILD_SA VpnEssenFrankfurt{277} established with SPIs c7f0b970_i ceea1f93_o and TS 192.168.241.0/24 === 10.2.34.0/24
00:04:38 charon: 14[IKE] reinitiating already active tasks
00:04:38 charon: 14[IKE] reinitiating already active tasks
00:04:38 charon: 14[IKE] CHILD_REKEY task
00:04:38 charon: 14[IKE] CHILD_REKEY task
00:04:38 charon: 14[IKE] closing CHILD_SA VpnEssenFrankfurt{277} with SPIs c3934b0a_i (143509 bytes) c65836f7_o (244242 bytes) and TS 192.168.241.0/24 === 10.2.34.0/24
00:04:38 charon: 14[IKE] closing CHILD_SA VpnEssenFrankfurt{277} with SPIs c3934b0a_i (143509 bytes) c65836f7_o (244242 bytes) and TS 192.168.241.0/24 === 10.2.34.0/24
00:04:38 charon: 14[IKE] sending DELETE for ESP CHILD_SA with SPI c3934b0a
00:04:38 charon: 14[IKE] sending DELETE for ESP CHILD_SA with SPI c3934b0a
00:04:38 charon: 14[ENC] generating INFORMATIONAL request 7 [ D ]
00:04:38 charon: 14[NET] sending packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.254[4500] (76 bytes)
00:04:38 charon: 14[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:04:38 charon: 14[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:04:38 charon: 14[MGR] check-in of IKE_SA successful.
00:04:38 charon: 14[MGR] check-in of IKE_SA successful.
00:04:38 charon: 15[MGR] checkout IKE_SA by message
00:04:38 charon: 15[MGR] checkout IKE_SA by message
00:04:38 charon: 15[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:04:38 charon: 15[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:04:38 charon: 15[NET] received packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.178[4500] (76 bytes)
00:04:38 charon: 15[ENC] parsed INFORMATIONAL response 7 [ D ]
00:04:38 charon: 15[IKE] received DELETE for ESP CHILD_SA with SPI c65836f7
00:04:38 charon: 15[IKE] received DELETE for ESP CHILD_SA with SPI c65836f7
00:04:38 charon: 15[IKE] CHILD_SA closed
00:04:38 charon: 15[IKE] CHILD_SA closed
00:04:38 charon: 15[IKE] activating new tasks
00:04:38 charon: 15[IKE] activating new tasks
00:04:38 charon: 15[IKE] nothing to initiate
00:04:38 charon: 15[IKE] nothing to initiate
00:04:38 charon: 15[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:04:38 charon: 15[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:04:38 charon: 15[MGR] check-in of IKE_SA successful.
00:04:38 charon: 15[MGR] check-in of IKE_SA successful.
00:04:41 charon: 16[MGR] checkout IKE_SA
00:04:41 charon: 16[MGR] checkout IKE_SA
00:04:41 charon: 16[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:04:41 charon: 16[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:04:41 charon: 16[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:04:41 charon: 16[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:04:41 charon: 16[MGR] check-in of IKE_SA successful.
00:04:41 charon: 16[MGR] check-in of IKE_SA successful.
00:04:42 charon: 03[MGR] checkout IKE_SA
00:04:42 charon: 03[MGR] checkout IKE_SA
00:04:42 charon: 03[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:04:42 charon: 03[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:04:42 charon: 03[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:04:42 charon: 03[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:04:42 charon: 03[MGR] check-in of IKE_SA successful.
00:04:42 charon: 03[MGR] check-in of IKE_SA successful.
00:04:55 charon: 05[MGR] checkout IKE_SA
00:04:55 charon: 05[MGR] checkout IKE_SA
00:04:55 charon: 05[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out
00:04:55 charon: 05[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out
00:04:55 charon: 05[MGR] checkin IKE_SA VpnEssenLimburg[359]
00:04:55 charon: 05[MGR] checkin IKE_SA VpnEssenLimburg[359]
00:04:55 charon: 05[MGR] check-in of IKE_SA successful.
00:04:55 charon: 05[MGR] check-in of IKE_SA successful.
00:05:29 charon: 14[MGR] checkout IKE_SA
00:05:29 charon: 14[MGR] checkout IKE_SA
00:05:29 charon: 14[MGR] IKE_SA VpnEssenFlorstadt[360] successfully checked out
00:05:29 charon: 14[MGR] IKE_SA VpnEssenFlorstadt[360] successfully checked out
00:05:29 charon: 14[MGR] checkin IKE_SA VpnEssenFlorstadt[360]
00:05:29 charon: 14[MGR] checkin IKE_SA VpnEssenFlorstadt[360]
00:05:29 charon: 14[MGR] check-in of IKE_SA successful.
00:05:29 charon: 14[MGR] check-in of IKE_SA successful.
00:06:27 charon: 07[MGR] checkout IKE_SA
00:06:27 charon: 07[MGR] checkout IKE_SA
00:06:27 charon: 07[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:06:27 charon: 07[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:06:27 charon: 07[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:06:27 charon: 07[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:06:27 charon: 07[MGR] check-in of IKE_SA successful.
00:06:27 charon: 07[MGR] check-in of IKE_SA successful.
00:06:54 charon: 01[MGR] checkout IKE_SA
00:06:54 charon: 01[MGR] checkout IKE_SA
00:06:54 charon: 01[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out
00:06:54 charon: 01[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out
00:06:54 charon: 01[MGR] checkin IKE_SA VpnEssenLimburg[359]
00:06:54 charon: 01[MGR] checkin IKE_SA VpnEssenLimburg[359]
00:06:54 charon: 01[MGR] check-in of IKE_SA successful.
00:06:54 charon: 01[MGR] check-in of IKE_SA successful.
00:07:29 charon: 11[MGR] checkout IKE_SA
00:07:29 charon: 11[MGR] checkout IKE_SA
00:07:29 charon: 11[MGR] IKE_SA VpnEssenFlorstadt[360] successfully checked out
00:07:29 charon: 11[MGR] IKE_SA VpnEssenFlorstadt[360] successfully checked out
00:07:29 charon: 11[MGR] checkin IKE_SA VpnEssenFlorstadt[360]
00:07:29 charon: 11[MGR] checkin IKE_SA VpnEssenFlorstadt[360]
00:07:29 charon: 11[MGR] check-in of IKE_SA successful.
00:07:29 charon: 11[MGR] check-in of IKE_SA successful.
00:08:27 charon: 15[MGR] checkout IKE_SA
00:08:27 charon: 15[MGR] checkout IKE_SA
00:08:27 charon: 15[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:08:27 charon: 15[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:08:27 charon: 15[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:08:27 charon: 15[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:08:27 charon: 15[MGR] check-in of IKE_SA successful.
00:08:27 charon: 15[MGR] check-in of IKE_SA successful.
00:08:53 charon: 11[MGR] checkout IKE_SA
00:08:53 charon: 11[MGR] checkout IKE_SA
00:08:53 charon: 11[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out
00:08:53 charon: 11[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out
00:08:53 charon: 11[MGR] checkin IKE_SA VpnEssenLimburg[359]
00:08:53 charon: 11[MGR] checkin IKE_SA VpnEssenLimburg[359]
00:08:53 charon: 11[MGR] check-in of IKE_SA successful.
00:08:53 charon: 11[MGR] check-in of IKE_SA successful.
00:09:28 charon: 14[MGR] checkout IKE_SA
00:09:28 charon: 14[MGR] checkout IKE_SA
00:09:28 charon: 14[MGR] IKE_SA VpnEssenFlorstadt[360] successfully checked out
00:09:28 charon: 14[MGR] IKE_SA VpnEssenFlorstadt[360] successfully checked out
00:09:28 charon: 14[MGR] checkin IKE_SA VpnEssenFlorstadt[360]
00:09:28 charon: 14[MGR] checkin IKE_SA VpnEssenFlorstadt[360]
00:09:28 charon: 14[MGR] check-in of IKE_SA successful.
00:09:28 charon: 14[MGR] check-in of IKE_SA successful.
00:10:27 charon: 01[MGR] checkout IKE_SA
00:10:27 charon: 01[MGR] checkout IKE_SA
00:10:27 charon: 01[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:10:27 charon: 01[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:10:27 charon: 01[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:10:27 charon: 01[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:10:27 charon: 01[MGR] check-in of IKE_SA successful.
00:10:27 charon: 01[MGR] check-in of IKE_SA successful.
00:10:34 charon: 04[MGR] checkout IKE_SA
00:10:34 charon: 04[MGR] checkout IKE_SA
00:10:34 charon: 04[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out
00:10:34 charon: 04[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out
00:10:34 charon: 04[MGR] checkin IKE_SA VpnEssenLimburg[359]
00:10:34 charon: 04[MGR] checkin IKE_SA VpnEssenLimburg[359]
00:10:34 charon: 04[MGR] check-in of IKE_SA successful.
00:10:34 charon: 04[MGR] check-in of IKE_SA successful.
00:11:27 charon: 06[MGR] checkout IKE_SA
00:11:27 charon: 06[MGR] checkout IKE_SA
00:11:27 charon: 06[MGR] IKE_SA VpnEssenFlorstadt[360] successfully checked out
00:11:27 charon: 06[MGR] IKE_SA VpnEssenFlorstadt[360] successfully checked out
00:11:27 charon: 06[MGR] checkin IKE_SA VpnEssenFlorstadt[360]
00:11:27 charon: 06[MGR] checkin IKE_SA VpnEssenFlorstadt[360]
00:11:27 charon: 06[MGR] check-in of IKE_SA successful.
00:11:27 charon: 06[MGR] check-in of IKE_SA successful.
00:11:27 charon: 07[MGR] checkout IKE_SA
00:11:27 charon: 07[MGR] checkout IKE_SA
00:11:27 charon: 07[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:11:27 charon: 07[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:11:27 charon: 07[IKE] sending DPD request
00:11:27 charon: 07[IKE] sending DPD request
00:11:27 charon: 07[IKE] queueing IKE_DPD task
00:11:27 charon: 07[IKE] queueing IKE_DPD task
00:11:27 charon: 07[IKE] activating new tasks
00:11:27 charon: 07[IKE] activating new tasks
00:11:27 charon: 07[IKE] activating IKE_DPD task
00:11:27 charon: 07[IKE] activating IKE_DPD task
00:11:27 charon: 07[ENC] generating INFORMATIONAL request 8 [ ]
00:11:27 charon: 07[NET] sending packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.254[4500] (76 bytes)
00:11:27 charon: 07[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:11:27 charon: 07[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:11:27 charon: 07[MGR] check-in of IKE_SA successful.
00:11:27 charon: 07[MGR] check-in of IKE_SA successful.
00:11:31 charon: 09[MGR] checkout IKE_SA
00:11:31 charon: 09[MGR] checkout IKE_SA
00:11:31 charon: 09[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:11:31 charon: 09[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:11:31 charon: 09[IKE] retransmit 1 of request with message ID 8
00:11:31 charon: 09[IKE] retransmit 1 of request with message ID 8
00:11:31 charon: 09[NET] sending packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.254[4500] (76 bytes)
00:11:31 charon: 09[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:11:31 charon: 09[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:11:31 charon: 09[MGR] check-in of IKE_SA successful.
00:11:31 charon: 09[MGR] check-in of IKE_SA successful.
00:11:39 charon: 04[MGR] checkout IKE_SA
00:11:39 charon: 04[MGR] checkout IKE_SA
00:11:39 charon: 04[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:11:39 charon: 04[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:11:39 charon: 04[IKE] retransmit 2 of request with message ID 8
00:11:39 charon: 04[IKE] retransmit 2 of request with message ID 8
00:11:39 charon: 04[NET] sending packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.254[4500] (76 bytes)
00:11:39 charon: 04[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:11:39 charon: 04[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:11:39 charon: 04[MGR] check-in of IKE_SA successful.
00:11:39 charon: 04[MGR] check-in of IKE_SA successful.
00:11:52 charon: 14[MGR] checkout IKE_SA
00:11:52 charon: 14[MGR] checkout IKE_SA
00:11:52 charon: 14[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:11:52 charon: 14[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:11:52 charon: 14[IKE] retransmit 3 of request with message ID 8
00:11:52 charon: 14[IKE] retransmit 3 of request with message ID 8
00:11:52 charon: 14[NET] sending packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.254[4500] (76 bytes)
00:11:52 charon: 14[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:11:52 charon: 14[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:11:52 charon: 14[MGR] check-in of IKE_SA successful.
00:11:52 charon: 14[MGR] check-in of IKE_SA successful.
00:12:15 charon: 09[MGR] checkout IKE_SA
00:12:15 charon: 09[MGR] checkout IKE_SA
00:12:15 charon: 09[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:12:15 charon: 09[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out
00:12:15 charon: 09[IKE] retransmit 4 of request with message ID 8
00:12:15 charon: 09[IKE] retransmit 4 of request with message ID 8
00:12:15 charon: 09[NET] sending packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.254[4500] (76 bytes)
00:12:15 charon: 09[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:12:15 charon: 09[MGR] checkin IKE_SA VpnEssenFrankfurt[358]
00:12:15 charon: 09[MGR] check-in of IKE_SA successful.
00:12:15 charon: 09[MGR] check-in of IKE_SA successful.
00:12:26 charon: 04[KNL] creating rekey job for ESP CHILD_SA with SPI c1b5daf6 and reqid {274}
00:12:26 charon: 04[MGR] checkout IKE_SA by ID
00:12:26 charon: 04[MGR] checkout IKE_SA by ID
00:12:26 charon: 04[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out
00:12:26 charon: 04[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out
00:12:26 charon: 04[IKE] queueing CHILD_REKEY task
00:12:26 charon: 04[IKE] queueing CHILD_REKEY task
00:12:26 charon: 04[IKE] activating new tasks
00:12:26 charon: 04[IKE] activating new tasks
00:12:26 charon: 04[IKE] activating CHILD_REKEY task
00:12:26 charon: 04[IKE] activating CHILD_REKEY task
00:12:26 charon: 04[IKE] establishing CHILD_SA VpnEssenLimburg{274}
00:12:26 charon: 04[IKE] establishing CHILD_SA VpnEssenLimburg{274}
00:12:26 charon: 04[ENC] generating CREATE_CHILD_SA request 6 [ N(REKEY_SA) N(IPCOMP_SUP) SA No KE TSi TSr ]
00:12:26 charon: 04[NET] sending packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.211[4500] (684 bytes)
00:12:26 charon: 04[MGR] checkin IKE_SA VpnEssenLimburg[359]
00:12:26 charon: 04[MGR] checkin IKE_SA VpnEssenLimburg[359]
00:12:26 charon: 04[MGR] check-in of IKE_SA successful.
00:12:26 charon: 04[MGR] check-in of IKE_SA successful.
00:12:28 charon: 15[MGR] checkout IKE_SA by message
00:12:28 charon: 15[MGR] checkout IKE_SA by message
00:12:28 charon: 15[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out
00:12:28 charon: 15[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out
00:12:28 charon: 15[NET] received packet: from xxx.xxx.xxx.211[4500] to xxx.xxx.xxx.178[4500] (476 bytes)
00:12:28 charon: 15[ENC] parsed CREATE_CHILD_SA response 6 [ N(IPCOMP_SUP) SA No KE TSi TSr ]
00:12:28 charon: 15[IKE] received IPCOMP_SUPPORTED notify
00:12:28 charon: 15[IKE] received IPCOMP_SUPPORTED notify
00:12:29 charon: 15[CHD] using AES_CBC for encryption
00:12:29 charon: 15[CHD] using AES_CBC for encryption
00:12:29 charon: 15[CHD] using HMAC_SHA1_96 for integrity
00:12:29 charon: 15[CHD] using HMAC_SHA1_96 for integrity
00:12:29 charon: 15[CHD] adding inbound ESP SA
00:12:29 charon: 15[CHD] adding inbound ESP SA
00:12:29 charon: 15[CHD] SPI 0xc67aa799, src xxx.xxx.xxx.211 dst xxx.xxx.xxx.178
00:12:29 charon: 15[CHD] SPI 0xc67aa799, src xxx.xxx.xxx.211 dst xxx.xxx.xxx.178
00:12:29 charon: 15[CHD] adding outbound ESP SA
00:12:29 charon: 15[CHD] adding outbound ESP SA
00:12:29 charon: 15[CHD] SPI 0xcb8cbba1, src xxx.xxx.xxx.178 dst xxx.xxx.xxx.211
00:12:29 charon: 15[CHD] SPI 0xcb8cbba1, src xxx.xxx.xxx.178 dst xxx.xxx.xxx.211
00:12:29 charon: 15[IKE] CHILD_SA VpnEssenLimburg{274} established with SPIs c67aa799_i cb8cbba1_o and TS 192.168.241.0/24 === 10.3.34.0/24
00:12:29 charon: 15[IKE] CHILD_SA VpnEssenLimburg{274} established with SPIs c67aa799_i cb8cbba1_o and TS 192.168.241.0/24 === 10.3.34.0/24
00:12:29 charon: 15[IKE] reinitiating already active tasks
00:12:29 charon: 15[IKE] reinitiating already active tasks
00:12:29 charon: 15[IKE] CHILD_REKEY task
00:12:29 charon: 15[IKE] CHILD_REKEY task
00:12:29 charon: 15[IKE] closing CHILD_SA VpnEssenLimburg{274} with SPIs c1b5daf6_i (74802 bytes) cf7e92e7_o (359517 bytes) and TS 192.168.241.0/24 === 10.3.34.0/24
00:12:29 charon: 15[IKE] closing CHILD_SA VpnEssenLimburg{274} with SPIs c1b5daf6_i (74802 bytes) cf7e92e7_o (359517 bytes) and TS 192.168.241.0/24 === 10.3.34.0/24
00:12:29 charon: 15[IKE] sending DELETE for ESP CHILD_SA with SPI c1b5daf6
00:12:29 charon: 15[IKE] sending DELETE for ESP CHILD_SA with SPI c1b5daf6
00:12:29 charon: 15[ENC] generating INFORMATIONAL request 7 [ D ]
00:12:29 charon: 15[NET] sending packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.211[4500] (76 bytes)
00:12:29 charon: 15[MGR] checkin IKE_SA VpnEssenLimburg[359]
00:12:29 charon: 15[MGR] checkin IKE_SA VpnEssenLimburg[359]
00:12:29 charon: 15[MGR] check-in of IKE_SA successful.
00:12:29 charon: 15[MGR] check-in of IKE_SA successful.
00:12:29 charon: 16[MGR] checkout IKE_SA by message
00:12:29 charon: 16[MGR] checkout IKE_SA by message
00:12:29 charon: 16[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out
00:12:29 charon: 16[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out
00:12:29 charon: 16[NET] received packet: from xxx.xxx.xxx.211[4500] to xxx.xxx.xxx.178[4500] (76 bytes)
00:12:29 charon: 16[ENC] parsed INFORMATIONAL response 7 [ D ]
00:12:29 charon: 16[IKE] received DELETE for ESP CHILD_SA with SPI cf7e92e7
00:12:29 charon: 16[IKE] received DELETE for ESP CHILD_SA with SPI cf7e92e7
00:12:29 charon: 16[IKE] CHILD_SA closed
00:12:29 charon: 16[IKE] CHILD_SA closed
Log entries from our device in Frankfurt
----------------------------------------
00:04:37 charon: 08[NET] received packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.254[4500] (684 bytes)
00:04:37 charon: 08[ENC] parsed CREATE_CHILD_SA request 6 [ N(REKEY_SA) N(IPCOMP_SUP) SA No KE TSi TSr ]
00:04:38 charon: 08[KNL] getting CPI for reqid {278}
00:04:38 charon: 08[KNL] getting CPI for reqid {278}
00:04:38 charon: 08[KNL] got CPI e971 for reqid {278}
00:04:38 charon: 08[KNL] got CPI e971 for reqid {278}
00:04:38 charon: 08[KNL] getting SPI for reqid {278}
00:04:38 charon: 08[KNL] getting SPI for reqid {278}
00:04:38 charon: 08[KNL] got SPI ceea1f93 for reqid {278}
00:04:38 charon: 08[KNL] got SPI ceea1f93 for reqid {278}
00:04:38 charon: 08[CHD] using AES_CBC for encryption
00:04:38 charon: 08[CHD] using AES_CBC for encryption
00:04:38 charon: 08[CHD] using HMAC_SHA1_96 for integrity
00:04:38 charon: 08[CHD] using HMAC_SHA1_96 for integrity
00:04:38 charon: 08[CHD] adding inbound ESP SA
00:04:38 charon: 08[CHD] adding inbound ESP SA
00:04:38 charon: 08[CHD] SPI 0xceea1f93, src xxx.xxx.xxx.178 dst xxx.xxx.xxx.254
00:04:38 charon: 08[CHD] SPI 0xceea1f93, src xxx.xxx.xxx.178 dst xxx.xxx.xxx.254
00:04:38 charon: 08[KNL] adding SAD entry with SPI 0000e971 and reqid {278} (mark 0/0x00000000)
00:04:38 charon: 08[KNL] adding SAD entry with SPI 0000e971 and reqid {278} (mark 0/0x00000000)
00:04:38 charon: 08[KNL] using compression algorithm IPCOMP_DEFLATE
00:04:38 charon: 08[KNL] using compression algorithm IPCOMP_DEFLATE
00:04:38 charon: 08[KNL] adding SAD entry with SPI ceea1f93 and reqid {278} (mark 0/0x00000000)
00:04:38 charon: 08[KNL] adding SAD entry with SPI ceea1f93 and reqid {278} (mark 0/0x00000000)
00:04:38 charon: 08[KNL] using encryption algorithm AES_CBC with key size 128
00:04:38 charon: 08[KNL] using encryption algorithm AES_CBC with key size 128
00:04:38 charon: 08[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
00:04:38 charon: 08[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
00:04:38 charon: 08[KNL] using replay window of 32 packets
00:04:38 charon: 08[KNL] using replay window of 32 packets
00:04:38 charon: 08[CHD] adding outbound ESP SA
00:04:38 charon: 08[CHD] adding outbound ESP SA
00:04:38 charon: 08[CHD] SPI 0xc7f0b970, src xxx.xxx.xxx.254 dst xxx.xxx.xxx.178
00:04:38 charon: 08[CHD] SPI 0xc7f0b970, src xxx.xxx.xxx.254 dst xxx.xxx.xxx.178
00:04:38 charon: 08[KNL] adding SAD entry with SPI 00005576 and reqid {278} (mark 0/0x00000000)
00:04:38 charon: 08[KNL] adding SAD entry with SPI 00005576 and reqid {278} (mark 0/0x00000000)
00:04:38 charon: 08[KNL] using compression algorithm IPCOMP_DEFLATE
00:04:38 charon: 08[KNL] using compression algorithm IPCOMP_DEFLATE
00:04:38 charon: 08[KNL] adding SAD entry with SPI c7f0b970 and reqid {278} (mark 0/0x00000000)
00:04:38 charon: 08[KNL] adding SAD entry with SPI c7f0b970 and reqid {278} (mark 0/0x00000000)
00:04:38 charon: 08[KNL] using encryption algorithm AES_CBC with key size 128
00:04:38 charon: 08[KNL] using encryption algorithm AES_CBC with key size 128
00:04:38 charon: 08[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
00:04:38 charon: 08[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
00:04:38 charon: 08[KNL] using replay window of 32 packets
00:04:38 charon: 08[KNL] using replay window of 32 packets
00:04:38 charon: 08[KNL] policy 10.2.34.0/24 === 192.168.241.0/24 out (mark 0/0x00000000) already exists, increasing refcount
00:04:38 charon: 08[KNL] policy 10.2.34.0/24 === 192.168.241.0/24 out (mark 0/0x00000000) already exists, increasing refcount
00:04:38 charon: 08[KNL] policy 192.168.241.0/24 === 10.2.34.0/24 in (mark 0/0x00000000) already exists, increasing refcount
00:04:38 charon: 08[KNL] policy 192.168.241.0/24 === 10.2.34.0/24 in (mark 0/0x00000000) already exists, increasing refcount
00:04:38 charon: 08[KNL] policy 192.168.241.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000) already exists, increasing refcount
00:04:38 charon: 08[KNL] policy 192.168.241.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000) already exists, increasing refcount
00:04:38 charon: 08[KNL] policy 10.2.34.0/24 === 192.168.241.0/24 out (mark 0/0x00000000) already exists, increasing refcount
00:04:38 charon: 08[KNL] policy 10.2.34.0/24 === 192.168.241.0/24 out (mark 0/0x00000000) already exists, increasing refcount
00:04:38 charon: 08[KNL] updating policy 10.2.34.0/24 === 192.168.241.0/24 out (mark 0/0x00000000)
00:04:38 charon: 08[KNL] updating policy 10.2.34.0/24 === 192.168.241.0/24 out (mark 0/0x00000000)
00:04:38 charon: 08[KNL] policy 192.168.241.0/24 === 10.2.34.0/24 in (mark 0/0x00000000) already exists, increasing refcount
00:04:38 charon: 08[KNL] policy 192.168.241.0/24 === 10.2.34.0/24 in (mark 0/0x00000000) already exists, increasing refcount
00:04:38 charon: 08[KNL] updating policy 192.168.241.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:04:38 charon: 08[KNL] updating policy 192.168.241.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:04:38 charon: 08[KNL] policy 192.168.241.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000) already exists, increasing refcount
00:04:38 charon: 08[KNL] policy 192.168.241.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000) already exists, increasing refcount
00:04:38 charon: 08[KNL] updating policy 192.168.241.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:04:38 charon: 08[KNL] updating policy 192.168.241.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:04:38 charon: 08[KNL] getting a local address in traffic selector 10.2.34.0/24
00:04:38 charon: 08[KNL] getting a local address in traffic selector 10.2.34.0/24
00:04:38 charon: 08[KNL] using host 10.2.34.1
00:04:38 charon: 08[KNL] using host 10.2.34.1
00:04:38 charon: 08[KNL] using xxx.xxx.xxx.253 as nexthop to reach xxx.xxx.xxx.178/32
00:04:38 charon: 08[KNL] using xxx.xxx.xxx.253 as nexthop to reach xxx.xxx.xxx.178/32
00:04:38 charon: 08[KNL] xxx.xxx.xxx.254 is on interface red0
00:04:38 charon: 08[KNL] xxx.xxx.xxx.254 is on interface red0
00:04:38 charon: 08[IKE] CHILD_SA VpnFrankfurtEssen{278} established with SPIs ceea1f93_i c7f0b970_o and TS 10.2.34.0/24 === 192.168.241.0/24
00:04:38 charon: 08[IKE] CHILD_SA VpnFrankfurtEssen{278} established with SPIs ceea1f93_i c7f0b970_o and TS 10.2.34.0/24 === 192.168.241.0/24
00:04:38 charon: 08[ENC] generating CREATE_CHILD_SA response 6 [ N(IPCOMP_SUP) SA No KE TSi TSr ]
00:04:38 charon: 08[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.178[4500] (476 bytes)
00:04:38 charon: 07[NET] received packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.254[4500] (76 bytes)
00:04:38 charon: 07[ENC] parsed INFORMATIONAL request 7 [ D ]
00:04:38 charon: 07[IKE] received DELETE for ESP CHILD_SA with SPI c3934b0a
00:04:38 charon: 07[IKE] received DELETE for ESP CHILD_SA with SPI c3934b0a
00:04:38 charon: 07[KNL] querying SAD entry with SPI c65836f7 (mark 0/0x00000000)
00:04:38 charon: 07[KNL] querying SAD entry with SPI c65836f7 (mark 0/0x00000000)
00:04:38 charon: 07[KNL] querying SAD entry with SPI c3934b0a (mark 0/0x00000000)
00:04:38 charon: 07[KNL] querying SAD entry with SPI c3934b0a (mark 0/0x00000000)
00:04:38 charon: 07[IKE] closing CHILD_SA VpnFrankfurtEssen{278} with SPIs c65836f7_i (244242 bytes) c3934b0a_o (143509 bytes) and TS 10.2.34.0/24 === 192.168.241.0/24
00:04:38 charon: 07[IKE] closing CHILD_SA VpnFrankfurtEssen{278} with SPIs c65836f7_i (244242 bytes) c3934b0a_o (143509 bytes) and TS 10.2.34.0/24 === 192.168.241.0/24
00:04:38 charon: 07[IKE] sending DELETE for ESP CHILD_SA with SPI c65836f7
00:04:38 charon: 07[IKE] sending DELETE for ESP CHILD_SA with SPI c65836f7
00:04:38 charon: 07[IKE] CHILD_SA closed
00:04:38 charon: 07[IKE] CHILD_SA closed
00:04:38 charon: 07[KNL] deleting SAD entry with SPI 000098d8 (mark 0/0x00000000)
00:04:38 charon: 07[KNL] deleting SAD entry with SPI 000098d8 (mark 0/0x00000000)
00:04:38 charon: 07[KNL] deleted SAD entry with SPI 000098d8 (mark 0/0x00000000)
00:04:38 charon: 07[KNL] deleted SAD entry with SPI 000098d8 (mark 0/0x00000000)
00:04:38 charon: 07[KNL] deleting SAD entry with SPI c65836f7 (mark 0/0x00000000)
00:04:38 charon: 07[KNL] deleting SAD entry with SPI c65836f7 (mark 0/0x00000000)
00:04:38 charon: 07[KNL] deleted SAD entry with SPI c65836f7 (mark 0/0x00000000)
00:04:38 charon: 07[KNL] deleted SAD entry with SPI c65836f7 (mark 0/0x00000000)
00:04:38 charon: 07[KNL] deleting SAD entry with SPI 0000ad25 (mark 0/0x00000000)
00:04:38 charon: 07[KNL] deleting SAD entry with SPI 0000ad25 (mark 0/0x00000000)
00:04:38 charon: 07[KNL] deleted SAD entry with SPI 0000ad25 (mark 0/0x00000000)
00:04:38 charon: 07[KNL] deleted SAD entry with SPI 0000ad25 (mark 0/0x00000000)
00:04:38 charon: 07[KNL] deleting SAD entry with SPI c3934b0a (mark 0/0x00000000)
00:04:38 charon: 07[KNL] deleting SAD entry with SPI c3934b0a (mark 0/0x00000000)
00:04:38 charon: 07[KNL] deleted SAD entry with SPI c3934b0a (mark 0/0x00000000)
00:04:38 charon: 07[KNL] deleted SAD entry with SPI c3934b0a (mark 0/0x00000000)
00:04:38 charon: 07[KNL] deleting policy 10.2.34.0/24 === 192.168.241.0/24 out (mark 0/0x00000000)
00:04:38 charon: 07[KNL] deleting policy 10.2.34.0/24 === 192.168.241.0/24 out (mark 0/0x00000000)
00:04:38 charon: 07[KNL] policy still used by another CHILD_SA, not removed
00:04:38 charon: 07[KNL] policy still used by another CHILD_SA, not removed
00:04:38 charon: 07[KNL] updating policy 10.2.34.0/24 === 192.168.241.0/24 out (mark 0/0x00000000)
00:04:38 charon: 07[KNL] updating policy 10.2.34.0/24 === 192.168.241.0/24 out (mark 0/0x00000000)
00:04:38 charon: 07[KNL] deleting policy 192.168.241.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:04:38 charon: 07[KNL] deleting policy 192.168.241.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:04:38 charon: 07[KNL] policy still used by another CHILD_SA, not removed
00:04:38 charon: 07[KNL] policy still used by another CHILD_SA, not removed
00:04:38 charon: 07[KNL] updating policy 192.168.241.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:04:38 charon: 07[KNL] updating policy 192.168.241.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:04:38 charon: 07[KNL] deleting policy 192.168.241.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:04:39 charon: 07[KNL] deleting policy 192.168.241.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:04:39 charon: 07[KNL] policy still used by another CHILD_SA, not removed
00:04:39 charon: 07[KNL] policy still used by another CHILD_SA, not removed
00:04:39 charon: 07[KNL] updating policy 192.168.241.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:04:39 charon: 07[KNL] updating policy 192.168.241.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:04:39 charon: 07[KNL] getting a local address in traffic selector 10.2.34.0/24
00:04:39 charon: 07[KNL] getting a local address in traffic selector 10.2.34.0/24
00:04:39 charon: 07[KNL] using host 10.2.34.1
00:04:39 charon: 07[KNL] using host 10.2.34.1
00:04:39 charon: 07[KNL] using xxx.xxx.xxx.253 as nexthop to reach xxx.xxx.xxx.178/32
00:04:39 charon: 07[KNL] using xxx.xxx.xxx.253 as nexthop to reach xxx.xxx.xxx.178/32
00:04:39 charon: 07[KNL] xxx.xxx.xxx.254 is on interface red0
00:04:39 charon: 07[KNL] xxx.xxx.xxx.254 is on interface red0
00:04:39 charon: 07[KNL] deleting policy 10.2.34.0/24 === 192.168.241.0/24 out (mark 0/0x00000000)
00:04:39 charon: 07[KNL] deleting policy 10.2.34.0/24 === 192.168.241.0/24 out (mark 0/0x00000000)
00:04:39 charon: 07[KNL] policy still used by another CHILD_SA, not removed
00:04:39 charon: 07[KNL] policy still used by another CHILD_SA, not removed
00:04:39 charon: 07[KNL] deleting policy 192.168.241.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:04:39 charon: 07[KNL] deleting policy 192.168.241.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:04:39 charon: 07[KNL] policy still used by another CHILD_SA, not removed
00:04:39 charon: 07[KNL] policy still used by another CHILD_SA, not removed
00:04:39 charon: 07[KNL] deleting policy 192.168.241.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:04:39 charon: 07[KNL] deleting policy 192.168.241.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:04:39 charon: 07[KNL] policy still used by another CHILD_SA, not removed
00:04:39 charon: 07[KNL] policy still used by another CHILD_SA, not removed
00:04:39 charon: 07[ENC] generating INFORMATIONAL response 7 [ D ]
00:04:39 charon: 07[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.178[4500] (76 bytes)
00:05:15 charon: 13[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:05:15 charon: 13[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:05:15 charon: 13[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:05:15 charon: 13[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:05:47 charon: 05[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:05:47 charon: 05[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:05:47 charon: 05[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:05:47 charon: 05[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:06:16 charon: 05[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:06:16 charon: 05[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:06:16 charon: 05[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:06:16 charon: 05[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:07:15 charon: 09[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:07:15 charon: 09[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:07:15 charon: 09[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:07:15 charon: 09[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:07:47 charon: 09[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:07:47 charon: 09[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:07:47 charon: 09[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:07:47 charon: 09[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:08:16 charon: 07[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:08:16 charon: 07[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:08:16 charon: 07[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:08:16 charon: 07[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:09:15 charon: 08[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:09:15 charon: 08[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:09:15 charon: 08[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:09:15 charon: 08[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:09:47 charon: 16[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:09:47 charon: 16[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:09:47 charon: 16[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:09:47 charon: 16[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:10:15 charon: 13[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:10:15 charon: 13[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:10:15 charon: 13[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:10:15 charon: 13[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:11:11 charon: 05[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:11:11 charon: 05[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:11:11 charon: 05[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:11:11 charon: 05[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:11:15 charon: 15[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:11:15 charon: 15[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:11:15 charon: 15[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:11:15 charon: 15[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:11:15 charon: 15[IKE] sending DPD request
00:11:15 charon: 15[IKE] sending DPD request
00:11:15 charon: 15[IKE] queueing IKE_DPD task
00:11:15 charon: 15[IKE] queueing IKE_DPD task
00:11:15 charon: 15[IKE] activating new tasks
00:11:15 charon: 15[IKE] activating new tasks
00:11:15 charon: 15[IKE] activating IKE_DPD task
00:11:15 charon: 15[IKE] activating IKE_DPD task
00:11:15 charon: 15[ENC] generating INFORMATIONAL request 6 [ ]
00:11:15 charon: 15[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.238[4500] (76 bytes)
00:11:19 charon: 08[IKE] retransmit 1 of request with message ID 6
00:11:19 charon: 08[IKE] retransmit 1 of request with message ID 6
00:11:19 charon: 08[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.238[4500] (76 bytes)
00:11:27 charon: 03[IKE] retransmit 2 of request with message ID 6
00:11:27 charon: 03[IKE] retransmit 2 of request with message ID 6
00:11:27 charon: 03[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.238[4500] (76 bytes)
00:11:27 charon: 14[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:11:27 charon: 14[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:11:27 charon: 14[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:11:27 charon: 14[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:11:27 charon: 14[IKE] sending DPD request
00:11:27 charon: 14[IKE] sending DPD request
00:11:27 charon: 14[IKE] queueing IKE_DPD task
00:11:27 charon: 14[IKE] queueing IKE_DPD task
00:11:27 charon: 14[IKE] activating new tasks
00:11:27 charon: 14[IKE] activating new tasks
00:11:27 charon: 14[IKE] activating IKE_DPD task
00:11:27 charon: 14[IKE] activating IKE_DPD task
00:11:27 charon: 14[ENC] generating INFORMATIONAL request 2 [ ]
00:11:27 charon: 14[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.178[4500] (76 bytes)
00:11:27 charon: 13[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:11:27 charon: 13[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 in (mark 0/0x00000000)
00:11:27 charon: 13[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:11:27 charon: 13[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 fwd (mark 0/0x00000000)
00:11:27 charon: 13[IKE] sending DPD request
00:11:27 charon: 13[IKE] sending DPD request
00:11:27 charon: 13[IKE] queueing IKE_DPD task
00:11:27 charon: 13[IKE] queueing IKE_DPD task
00:11:27 charon: 13[IKE] activating new tasks
00:11:27 charon: 13[IKE] activating new tasks
00:11:27 charon: 13[IKE] activating IKE_DPD task
00:11:27 charon: 13[IKE] activating IKE_DPD task
00:11:27 charon: 13[ENC] generating INFORMATIONAL request 6 [ ]
00:11:27 charon: 13[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.211[4500] (76 bytes)
00:11:31 charon: 15[IKE] retransmit 1 of request with message ID 2
00:11:31 charon: 15[IKE] retransmit 1 of request with message ID 2
00:11:31 charon: 15[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.178[4500] (76 bytes)
00:11:31 charon: 01[IKE] retransmit 1 of request with message ID 6
00:11:31 charon: 01[IKE] retransmit 1 of request with message ID 6
00:11:31 charon: 01[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.211[4500] (76 bytes)
00:11:38 charon: 12[IKE] retransmit 2 of request with message ID 2
00:11:38 charon: 12[IKE] retransmit 2 of request with message ID 2
00:11:38 charon: 12[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.178[4500] (76 bytes)
00:11:38 charon: 16[IKE] retransmit 2 of request with message ID 6
00:11:38 charon: 16[IKE] retransmit 2 of request with message ID 6
00:11:38 charon: 16[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.211[4500] (76 bytes)
00:11:40 charon: 13[IKE] retransmit 3 of request with message ID 6
00:11:40 charon: 13[IKE] retransmit 3 of request with message ID 6
00:11:40 charon: 13[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.238[4500] (76 bytes)
00:11:51 charon: 09[IKE] retransmit 3 of request with message ID 2
00:11:51 charon: 09[IKE] retransmit 3 of request with message ID 2
00:11:51 charon: 09[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.178[4500] (76 bytes)
00:11:51 charon: 08[IKE] retransmit 3 of request with message ID 6
00:11:51 charon: 08[IKE] retransmit 3 of request with message ID 6
00:11:51 charon: 08[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.211[4500] (76 bytes)
00:12:03 charon: 13[IKE] retransmit 4 of request with message ID 6
00:12:03 charon: 13[IKE] retransmit 4 of request with message ID 6
00:12:03 charon: 13[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.238[4500] (76 bytes)
00:12:14 charon: 09[IKE] retransmit 4 of request with message ID 2
00:12:14 charon: 09[IKE] retransmit 4 of request with message ID 2
00:12:14 charon: 09[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.178[4500] (76 bytes)
00:12:15 charon: 08[IKE] retransmit 4 of request with message ID 6
00:12:15 charon: 08[IKE] retransmit 4 of request with message ID 6
00:12:15 charon: 08[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.211[4500] (76 bytes)
00:12:45 charon: 16[IKE] retransmit 5 of request with message ID 6
00:12:45 charon: 16[IKE] retransmit 5 of request with message ID 6
00:12:45 charon: 16[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.238[4500] (76 bytes)
00:12:56 charon: 15[IKE] retransmit 5 of request with message ID 2
00:12:56 charon: 15[IKE] retransmit 5 of request with message ID 2
00:12:56 charon: 15[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.178[4500] (76 bytes)
00:12:57 charon: 01[IKE] retransmit 5 of request with message ID 6
00:12:57 charon: 01[IKE] retransmit 5 of request with message ID 6
00:12:57 charon: 01[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.211[4500] (76 bytes)
00:14:00 charon: 03[IKE] giving up after 5 retransmits
00:14:00 charon: 03[IKE] giving up after 5 retransmits
Updown script executions in Frankfurt
-------------------------------------
The connection failed at or before 00:11:30 according to Icinga, even before the updown script was executed. Of course all times are synced.
Feb 11 22:05:36 gateway charon: 05[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='VpnFrankfurtFlorstadt' PLUTO_INTERFACE='red0' PLUTO_REQID='283' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18795' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.238' PLUTO_PEER_ID='xxx.xxx.xxx.238' PLUTO_PEER_CLIENT='10.4.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 11 22:05:36 gateway charon: 05[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='VpnFrankfurtFlorstadt' PLUTO_INTERFACE='red0' PLUTO_REQID='283' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18795' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.238' PLUTO_PEER_ID='xxx.xxx.xxx.238' PLUTO_PEER_CLIENT='10.4.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:01 gateway charon: 03[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='VpnFrankfurtFlorstadt' PLUTO_INTERFACE='red0' PLUTO_REQID='283' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18795' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.238' PLUTO_PEER_ID='xxx.xxx.xxx.238' PLUTO_PEER_CLIENT='10.4.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:01 gateway charon: 03[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='VpnFrankfurtFlorstadt' PLUTO_INTERFACE='red0' PLUTO_REQID='283' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18795' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.238' PLUTO_PEER_ID='xxx.xxx.xxx.238' PLUTO_PEER_CLIENT='10.4.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:12 gateway charon: 09[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='VpnFrankfurtEssen' PLUTO_INTERFACE='red0' PLUTO_REQID='278' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18793' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.178' PLUTO_PEER_ID='xxx.xxx.xxx.178' PLUTO_PEER_CLIENT='192.168.241.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:12 gateway charon: 09[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='VpnFrankfurtEssen' PLUTO_INTERFACE='red0' PLUTO_REQID='278' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18793' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.178' PLUTO_PEER_ID='xxx.xxx.xxx.178' PLUTO_PEER_CLIENT='192.168.241.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:13 gateway charon: 07[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='VpnFrankfurtLimburg' PLUTO_INTERFACE='red0' PLUTO_REQID='289' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18794' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.211' PLUTO_PEER_ID='xxx.xxx.xxx.211' PLUTO_PEER_CLIENT='10.3.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:13 gateway charon: 07[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='VpnFrankfurtLimburg' PLUTO_INTERFACE='red0' PLUTO_REQID='289' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18794' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.211' PLUTO_PEER_ID='xxx.xxx.xxx.211' PLUTO_PEER_CLIENT='10.3.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:38 gateway charon: 09[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='VpnFrankfurtEssen' PLUTO_INTERFACE='red0' PLUTO_REQID='291' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18799' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.178' PLUTO_PEER_ID='xxx.xxx.xxx.178' PLUTO_PEER_CLIENT='192.168.241.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:38 gateway charon: 09[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='VpnFrankfurtEssen' PLUTO_INTERFACE='red0' PLUTO_REQID='291' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18799' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.178' PLUTO_PEER_ID='xxx.xxx.xxx.178' PLUTO_PEER_CLIENT='192.168.241.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:40 gateway charon: 03[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='VpnFrankfurtLimburg' PLUTO_INTERFACE='red0' PLUTO_REQID='292' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18800' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.211' PLUTO_PEER_ID='xxx.xxx.xxx.211' PLUTO_PEER_CLIENT='10.3.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:40 gateway charon: 03[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='VpnFrankfurtLimburg' PLUTO_INTERFACE='red0' PLUTO_REQID='292' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18800' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.211' PLUTO_PEER_ID='xxx.xxx.xxx.211' PLUTO_PEER_CLIENT='10.3.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:41 gateway charon: 05[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='VpnFrankfurtLimburg' PLUTO_INTERFACE='red0' PLUTO_REQID='292' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18800' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.211' PLUTO_PEER_ID='xxx.xxx.xxx.211' PLUTO_PEER_CLIENT='10.3.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:41 gateway charon: 05[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='VpnFrankfurtLimburg' PLUTO_INTERFACE='red0' PLUTO_REQID='292' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18800' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.211' PLUTO_PEER_ID='xxx.xxx.xxx.211' PLUTO_PEER_CLIENT='10.3.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:49 gateway charon: 03[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='VpnFrankfurtFlorstadt' PLUTO_INTERFACE='red0' PLUTO_REQID='293' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18801' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.238' PLUTO_PEER_ID='xxx.xxx.xxx.238' PLUTO_PEER_CLIENT='10.4.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:49 gateway charon: 03[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='VpnFrankfurtFlorstadt' PLUTO_INTERFACE='red0' PLUTO_REQID='293' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18801' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.238' PLUTO_PEER_ID='xxx.xxx.xxx.238' PLUTO_PEER_CLIENT='10.4.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:15:01 gateway charon: 11[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='VpnFrankfurtEssen' PLUTO_INTERFACE='red0' PLUTO_REQID='291' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18799' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.178' PLUTO_PEER_ID='xxx.xxx.xxx.178' PLUTO_PEER_CLIENT='192.168.241.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:15:01 gateway charon: 11[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='VpnFrankfurtEssen' PLUTO_INTERFACE='red0' PLUTO_REQID='291' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18799' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.178' PLUTO_PEER_ID='xxx.xxx.xxx.178' PLUTO_PEER_CLIENT='192.168.241.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
IPsec status in Essen before connection lost
--------------------------------------------
Time: 2015-02-12 00:01:00
Status of IKE charon daemon (strongSwan 5.2.0, Linux 3.10.44-ipfire, i686):
uptime: 33 days, since Jan 09 15:53:38 2015
malloc: sbrk 341152, mmap 0, used 188440, free 152712
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 11
loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-noauth dhcp
Listening IP addresses:
192.168.241.67
xxx.xxx.xxx.178
Connections:
VpnEssenFrankfurt: xxx.xxx.xxx.178...xxx.xxx.xxx.254 IKEv2, dpddelay=120s
VpnEssenFrankfurt: local: [xxx.xxx.xxx.178] uses pre-shared key authentication
VpnEssenFrankfurt: remote: [xxx.xxx.xxx.254] uses pre-shared key authentication
VpnEssenFrankfurt: child: 192.168.241.0/24 === 10.2.34.0/24 TUNNEL, dpdaction=restart
VpnEssenLimburg: xxx.xxx.xxx.178...xxx.xxx.xxx.211 IKEv2, dpddelay=120s
VpnEssenLimburg: local: [xxx.xxx.xxx.178] uses pre-shared key authentication
VpnEssenLimburg: remote: [xxx.xxx.xxx.211] uses pre-shared key authentication
VpnEssenLimburg: child: 192.168.241.0/24 === 10.3.34.0/24 TUNNEL, dpdaction=restart
VpnEssenFlorstadt: xxx.xxx.xxx.178...xxx.xxx.xxx.238 IKEv2, dpddelay=120s
VpnEssenFlorstadt: local: [xxx.xxx.xxx.178] uses pre-shared key authentication
VpnEssenFlorstadt: remote: [xxx.xxx.xxx.238] uses pre-shared key authentication
VpnEssenFlorstadt: child: 192.168.241.0/24 === 10.4.34.0/24 TUNNEL, dpdaction=restart
Security Associations (3 up, 0 connecting):
VpnEssenFlorstadt[360]: ESTABLISHED 113 minutes ago, xxx.xxx.xxx.178[xxx.xxx.xxx.178]...xxx.xxx.xxx.238[xxx.xxx.xxx.238]
VpnEssenFlorstadt[360]: IKEv2 SPIs: 1672e20e09f964cb_i* c81d2964432ed277_r, pre-shared key reauthentication in 5 hours
VpnEssenFlorstadt[360]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
VpnEssenFlorstadt{268}: INSTALLED, TUNNEL, ESP SPIs: ca3ebd84_i c3ece683_o, IPCOMP CPIs: bba4_i 3cd1_o
VpnEssenFlorstadt{268}: AES_CBC_128/HMAC_SHA1_96, 25470 bytes_i (294 pkts, 4s ago), 24764 bytes_o (294 pkts, 4s ago), rekeying in 17 minutes
VpnEssenFlorstadt{268}: 192.168.241.0/24 === 10.4.34.0/24
VpnEssenLimburg[359]: ESTABLISHED 2 hours ago, xxx.xxx.xxx.178[xxx.xxx.xxx.178]...xxx.xxx.xxx.211[xxx.xxx.xxx.211]
VpnEssenLimburg[359]: IKEv2 SPIs: 482ada766f1f01ff_i* 199b67e53b708df5_r, pre-shared key reauthentication in 5 hours
VpnEssenLimburg[359]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
VpnEssenLimburg{274}: INSTALLED, TUNNEL, ESP SPIs: c1b5daf6_i cf7e92e7_o, IPCOMP CPIs: b933_i 6d88_o
VpnEssenLimburg{274}: AES_CBC_128/HMAC_SHA1_96, 55007 bytes_i (656 pkts, 3s ago), 264761 bytes_o (3214 pkts, 1s ago), rekeying in 11 minutes
VpnEssenLimburg{274}: 192.168.241.0/24 === 10.3.34.0/24
VpnEssenFrankfurt[358]: ESTABLISHED 3 hours ago, xxx.xxx.xxx.178[xxx.xxx.xxx.178]...xxx.xxx.xxx.254[xxx.xxx.xxx.254]
VpnEssenFrankfurt[358]: IKEv2 SPIs: 860cc9d8fb9eb58f_i 9dfc6304cfe9da7e_r*, pre-shared key reauthentication in 4 hours
VpnEssenFrankfurt[358]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
VpnEssenFrankfurt{277}: INSTALLED, TUNNEL, ESP SPIs: c3934b0a_i c65836f7_o, IPCOMP CPIs: ad25_i 98d8_o
VpnEssenFrankfurt{277}: AES_CBC_128/HMAC_SHA1_96, 132588 bytes_i (1402 pkts, 1s ago), 225100 bytes_o (1449 pkts, 1s ago), rekeying in 3 minutes
VpnEssenFrankfurt{277}: 192.168.241.0/24 === 10.2.34.0/24
IPsec status in Essen after connection lost + updown script
-----------------------------------------------------------
Time: 2015-02-12 01:01:00
Status of IKE charon daemon (strongSwan 5.2.0, Linux 3.10.44-ipfire, i686):
uptime: 33 days, since Jan 09 15:53:38 2015
malloc: sbrk 341152, mmap 0, used 180864, free 160288
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 15
loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-noauth dhcp
Listening IP addresses:
192.168.241.67
xxx.xxx.xxx.178
Connections:
VpnEssenFrankfurt: xxx.xxx.xxx.178...xxx.xxx.xxx.254 IKEv2, dpddelay=120s
VpnEssenFrankfurt: local: [xxx.xxx.xxx.178] uses pre-shared key authentication
VpnEssenFrankfurt: remote: [xxx.xxx.xxx.254] uses pre-shared key authentication
VpnEssenFrankfurt: child: 192.168.241.0/24 === 10.2.34.0/24 TUNNEL, dpdaction=restart
VpnEssenLimburg: xxx.xxx.xxx.178...xxx.xxx.xxx.211 IKEv2, dpddelay=120s
VpnEssenLimburg: local: [xxx.xxx.xxx.178] uses pre-shared key authentication
VpnEssenLimburg: remote: [xxx.xxx.xxx.211] uses pre-shared key authentication
VpnEssenLimburg: child: 192.168.241.0/24 === 10.3.34.0/24 TUNNEL, dpdaction=restart
VpnEssenFlorstadt: xxx.xxx.xxx.178...xxx.xxx.xxx.238 IKEv2, dpddelay=120s
VpnEssenFlorstadt: local: [xxx.xxx.xxx.178] uses pre-shared key authentication
VpnEssenFlorstadt: remote: [xxx.xxx.xxx.238] uses pre-shared key authentication
VpnEssenFlorstadt: child: 192.168.241.0/24 === 10.4.34.0/24 TUNNEL, dpdaction=restart
Security Associations (2 up, 0 connecting):
VpnEssenFlorstadt[360]: ESTABLISHED 2 hours ago, xxx.xxx.xxx.178[xxx.xxx.xxx.178]...xxx.xxx.xxx.238[xxx.xxx.xxx.238]
VpnEssenFlorstadt[360]: IKEv2 SPIs: 1672e20e09f964cb_i* c81d2964432ed277_r, pre-shared key reauthentication in 4 hours
VpnEssenFlorstadt[360]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
VpnEssenFlorstadt{268}: INSTALLED, TUNNEL, ESP SPIs: c549f584_i c6cfde80_o, IPCOMP CPIs: 881a_i 1edf_o
VpnEssenFlorstadt{268}: AES_CBC_128/HMAC_SHA1_96, 41636 bytes_i (481 pkts, 5s ago), 40516 bytes_o (481 pkts, 5s ago), rekeying in 3 seconds
VpnEssenFlorstadt{268}: 192.168.241.0/24 === 10.4.34.0/24
VpnEssenLimburg[359]: ESTABLISHED 3 hours ago, xxx.xxx.xxx.178[xxx.xxx.xxx.178]...xxx.xxx.xxx.211[xxx.xxx.xxx.211]
VpnEssenLimburg[359]: IKEv2 SPIs: 482ada766f1f01ff_i* 199b67e53b708df5_r, pre-shared key reauthentication in 4 hours
VpnEssenLimburg[359]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
VpnEssenLimburg{274}: INSTALLED, TUNNEL, ESP SPIs: c388a508_i cf4bd6ea_o, IPCOMP CPIs: a212_i 72f0_o
VpnEssenLimburg{274}: AES_CBC_128/HMAC_SHA1_96, 6468 bytes_i (77 pkts, 3s ago), 31122 bytes_o (378 pkts, 1s ago), rekeying in 44 minutes
VpnEssenLimburg{274}: 192.168.241.0/24 === 10.3.34.0/24
IPsec status in Frankfurt before connection lost
------------------------------------------------
Time: 2015-02-12 00:01:01
Status of IKE charon daemon (strongSwan 5.2.0, Linux 3.10.44-ipfire, i686):
uptime: 33 days, since Jan 09 16:23:56 2015
malloc: sbrk 345328, mmap 0, used 202784, free 142544
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 12
loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-noauth dhcp
Listening IP addresses:
10.2.34.1
xxx.xxx.xxx.254
Connections:
VpnFrankfurtFlorstadt: xxx.xxx.xxx.254...xxx.xxx.xxx.238 IKEv2, dpddelay=120s
VpnFrankfurtFlorstadt: local: [xxx.xxx.xxx.254] uses pre-shared key authentication
VpnFrankfurtFlorstadt: remote: [xxx.xxx.xxx.238] uses pre-shared key authentication
VpnFrankfurtFlorstadt: child: 10.2.34.0/24 === 10.4.34.0/24 TUNNEL, dpdaction=restart
VpnFrankfurtEssen: xxx.xxx.xxx.254...xxx.xxx.xxx.178 IKEv2, dpddelay=120s
VpnFrankfurtEssen: local: [xxx.xxx.xxx.254] uses pre-shared key authentication
VpnFrankfurtEssen: remote: [xxx.xxx.xxx.178] uses pre-shared key authentication
VpnFrankfurtEssen: child: 10.2.34.0/24 === 192.168.241.0/24 TUNNEL, dpdaction=restart
VpnFrankfurtLimburg: xxx.xxx.xxx.254...xxx.xxx.xxx.211 IKEv2, dpddelay=120s
VpnFrankfurtLimburg: local: [xxx.xxx.xxx.254] uses pre-shared key authentication
VpnFrankfurtLimburg: remote: [xxx.xxx.xxx.211] uses pre-shared key authentication
VpnFrankfurtLimburg: child: 10.2.34.0/24 === 10.3.34.0/24 TUNNEL, dpdaction=restart
Security Associations (3 up, 0 connecting):
VpnFrankfurtFlorstadt[18795]: ESTABLISHED 115 minutes ago, xxx.xxx.xxx.254[xxx.xxx.xxx.254]...xxx.xxx.xxx.238[xxx.xxx.xxx.238]
VpnFrankfurtFlorstadt[18795]: IKEv2 SPIs: 9d6b7a3d18dcd3a7_i* 90e8d8608bc9f5ec_r, pre-shared key reauthentication in 5 hours
VpnFrankfurtFlorstadt[18795]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
VpnFrankfurtFlorstadt{283}: INSTALLED, TUNNEL, ESP SPIs: c6ad6d82_i cf0abe45_o, IPCOMP CPIs: 44d9_i 568f_o
VpnFrankfurtFlorstadt{283}: AES_CBC_128/HMAC_SHA1_96, 194585 bytes_i (514 pkts, 25s ago), 200851 bytes_o (522 pkts, 26s ago), rekeying in 24 minutes
VpnFrankfurtFlorstadt{283}: 10.2.34.0/24 === 10.4.34.0/24
VpnFrankfurtLimburg[18794]: ESTABLISHED 118 minutes ago, xxx.xxx.xxx.254[xxx.xxx.xxx.254]...xxx.xxx.xxx.211[xxx.xxx.xxx.211]
VpnFrankfurtLimburg[18794]: IKEv2 SPIs: 401e534f568aa1a1_i* 731d9c46a3f89393_r, pre-shared key reauthentication in 5 hours
VpnFrankfurtLimburg[18794]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
VpnFrankfurtLimburg{289}: INSTALLED, TUNNEL, ESP SPIs: cdcc9c20_i cc957ba1_o, IPCOMP CPIs: c072_i 2873_o
VpnFrankfurtLimburg{289}: AES_CBC_128/HMAC_SHA1_96, 144112 bytes_i (376 pkts, 9s ago), 145595 bytes_o (384 pkts, 9s ago), rekeying in 21 minutes
VpnFrankfurtLimburg{289}: 10.2.34.0/24 === 10.3.34.0/24
VpnFrankfurtEssen[18793]: ESTABLISHED 3 hours ago, xxx.xxx.xxx.254[xxx.xxx.xxx.254]...xxx.xxx.xxx.178[xxx.xxx.xxx.178]
VpnFrankfurtEssen[18793]: IKEv2 SPIs: 860cc9d8fb9eb58f_i* 9dfc6304cfe9da7e_r, pre-shared key reauthentication in 4 hours
VpnFrankfurtEssen[18793]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
VpnFrankfurtEssen{278}: INSTALLED, TUNNEL, ESP SPIs: c65836f7_i c3934b0a_o, IPCOMP CPIs: 98d8_i ad25_o
VpnFrankfurtEssen{278}: AES_CBC_128/HMAC_SHA1_96, 225184 bytes_i (1450 pkts, 1s ago), 132672 bytes_o (1403 pkts, 1s ago), rekeying in 61 minutes
VpnFrankfurtEssen{278}: 10.2.34.0/24 === 192.168.241.0/24
IPsec status in Frankfurt after connection lost + updown script
---------------------------------------------------------------
Time: 2015-02-12 01:01:01
Status of IKE charon daemon (strongSwan 5.2.0, Linux 3.10.44-ipfire, i686):
uptime: 33 days, since Jan 09 16:23:56 2015
malloc: sbrk 345328, mmap 0, used 184640, free 160688
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 33
loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-noauth dhcp
Listening IP addresses:
10.2.34.1
xxx.xxx.xxx.254
Connections:
VpnFrankfurtFlorstadt: xxx.xxx.xxx.254...xxx.xxx.xxx.238 IKEv2, dpddelay=120s
VpnFrankfurtFlorstadt: local: [xxx.xxx.xxx.254] uses pre-shared key authentication
VpnFrankfurtFlorstadt: remote: [xxx.xxx.xxx.238] uses pre-shared key authentication
VpnFrankfurtFlorstadt: child: 10.2.34.0/24 === 10.4.34.0/24 TUNNEL, dpdaction=restart
VpnFrankfurtEssen: xxx.xxx.xxx.254...xxx.xxx.xxx.178 IKEv2, dpddelay=120s
VpnFrankfurtEssen: local: [xxx.xxx.xxx.254] uses pre-shared key authentication
VpnFrankfurtEssen: remote: [xxx.xxx.xxx.178] uses pre-shared key authentication
VpnFrankfurtEssen: child: 10.2.34.0/24 === 192.168.241.0/24 TUNNEL, dpdaction=restart
VpnFrankfurtLimburg: xxx.xxx.xxx.254...xxx.xxx.xxx.211 IKEv2, dpddelay=120s
VpnFrankfurtLimburg: local: [xxx.xxx.xxx.254] uses pre-shared key authentication
VpnFrankfurtLimburg: remote: [xxx.xxx.xxx.211] uses pre-shared key authentication
VpnFrankfurtLimburg: child: 10.2.34.0/24 === 10.3.34.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
VpnFrankfurtFlorstadt[18804]: ESTABLISHED 18 minutes ago, xxx.xxx.xxx.254[xxx.xxx.xxx.254]...xxx.xxx.xxx.238[xxx.xxx.xxx.238]
VpnFrankfurtFlorstadt[18804]: IKEv2 SPIs: d98ed3c7efdf3ec6_i 18608cc0abfb5437_r*, pre-shared key reauthentication in 7 hours
VpnFrankfurtFlorstadt[18804]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Does anybody have any idea why this could happen? Any help is greatly appreciated.
Kind regards
Andreas Braun
-----Ursprüngliche Nachricht-----
Von: Martin Willi [mailto:martin at strongswan.org]
Gesendet: Dienstag, 20. Januar 2015 15:24
An: andreas.braun at bagus.de
Cc: users at lists.strongswan.org
Betreff: Re: [strongSwan] Problem with rekey collisions
Hi Andreas,
> Now my problem is that tunnels between devices break every few days. The log
> states that strongSwan detects a CHILD_REKEY collision, then it resolves the
> collision, but no traffic is going through.
> I noticed that after a rekey collision, some iptables rules were gone. I
> still have to verify this in the production system.
Most likely we falsely invoke the updown script with a "down" event for
that rekey collision, as that CHILD_SA gets deleted (but actually is
still up with the "winning" instance). Probably we can fix that, but I
don't know how trivial it is.
> RETURN all -- 10.1.34.0/24 10.2.34.0/24 policy match dir in pol ipsec reqid 1 proto 50
> MARK all -- 10.2.34.0/24 10.1.34.0/24 policy match dir out pol ipsec reqid 1 proto 50 MARK set 0x32
Seems that there are some complex firewall rules involved, not sure if
that is provided by your IPFire distribution or if these are your custom
rules.
As a work-around, you could consider using static policy matching IPsec
rules (not for specific subnets) instead of those installed with updown.
But I really don't know if that works for your specific rules.
> 1.) Is there any way to check wether rekey time randomization really works
> as it should?
Given that they are triggered randomly, I'd guess that works as
expected/configured.
> 2.) Could you tell me why I am getting CHILD_REKEY collisions every few
> days? Is that to be expected?
Depends on your rekey configuration, latencies etc. Not unlikely that
these can happen, especially if you rekey every 40 minutes. You might
consider adjusting your rekey interval, margin and fuzz to reduce
collision probability.
Also you can use a shorter rekey time on one end, so rekeying is
guaranteed to get initiated by the same end only. This should make it
impossible that a collision happens if the options are chosen
carefully.
> 3.) Any idea why the iptables rules get changed after rekey collision?
As said, most likely because we invoke that updown hook once too often
in that specific collision case.
Regards
Martin
More information about the Users
mailing list