[strongSwan] Problem with rekey collisions

andreas.braun at bagus.de andreas.braun at bagus.de
Tue Feb 17 11:35:56 CET 2015


Hallo again,

I have tried to work around the rekey collision problem by setting 1 hour IPsec lifetime on one side and 2 hours on the other side - as Martin Willi suggested. 

> Also you can use a shorter rekey time on one end, so rekeying is
> guaranteed to get initiated by the same end only. This should make it
> impossible that a collision happens if the options are chosen
> carefully. 

Unfortunately, we now hit another problem: Collisions are gone, but every few days soon after midnight IPsec connections fail - four times already. Network is not the problem. I hope I chose the options carefully enough:


Config in Essen
---------------
version 2

conn %default
        keyingtries=%forever

include /etc/ipsec.user.conf (empty)

conn VpnEssenFrankfurt
        left=xxx.xxx.xxx.178
        leftsubnet=192.168.241.0/24
        leftfirewall=yes
        lefthostaccess=yes
        right=xxx.xxx.xxx.254
        rightsubnet=10.2.34.0/24
        leftid="xxx.xxx.xxx.178"
        rightid="xxx.xxx.xxx.254"
        ike=aes128-sha-modp2048,aes128-sha-modp1536,aes128-sha-modp1024
        esp=aes128-sha1-modp2048,aes128-sha1-modp1536,aes128-sha1-modp1024
        keyexchange=ikev2
        ikelifetime=8h
        keylife=1h
        compress=yes
        dpdaction=restart
        dpddelay=120
        dpdtimeout=30
        authby=secret
        auto=start


Config in Frankfurt
-------------------
version 2

conn %default
        keyingtries=%forever

include /etc/ipsec.user.conf (empty)

conn VpnFrankfurtEssen
        left=xxx.xxx.xxx.254
        leftsubnet=10.2.34.0/24
        leftfirewall=yes
        lefthostaccess=yes
        right=xxx.xxx.xxx.178
        rightsubnet=192.168.241.0/24
        leftid="xxx.xxx.xxx.254"
        rightid="xxx.xxx.xxx.178"
        ike=aes128-sha-modp2048,aes128-sha-modp1536,aes128-sha-modp1024
        esp=aes128-sha1-modp2048,aes128-sha1-modp1536,aes128-sha1-modp1024
        keyexchange=ikev2
        ikelifetime=8h
        keylife=2h
        compress=yes
        dpdaction=restart
        dpddelay=120
        dpdtimeout=30
        authby=secret
        auto=start


IPsec lifetime in hours by location
-----------------------------------
LOC1	1:2	LOC2
	1:2	LOC3
	1:2	LOC4

LOC2	2:1	LOC1
	1:2	LOC3
	1:2	LOC4

LOC3	2:1	LOC1
	2:1	LOC2
	1:2	LOC4

LOC4	2:1	LOC1
	2:1	LOC2
	2:1	LOC3


Log entries from our device in Essen
------------------------------------
00:04:37 charon:  04[KNL] creating rekey job for ESP CHILD_SA with SPI c3934b0a and reqid {277} 
00:04:37 charon:  04[MGR] checkout IKE_SA by ID 
00:04:37 charon:  04[MGR] checkout IKE_SA by ID 
00:04:37 charon:  04[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:04:37 charon:  04[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:04:37 charon:  04[IKE] queueing CHILD_REKEY task 
00:04:37 charon:  04[IKE] queueing CHILD_REKEY task 
00:04:37 charon:  04[IKE] activating new tasks 
00:04:37 charon:  04[IKE] activating new tasks 
00:04:37 charon:  04[IKE]   activating CHILD_REKEY task 
00:04:37 charon:  04[IKE]   activating CHILD_REKEY task 
00:04:37 charon:  04[IKE] establishing CHILD_SA VpnEssenFrankfurt{277} 
00:04:37 charon:  04[IKE] establishing CHILD_SA VpnEssenFrankfurt{277} 
00:04:37 charon:  04[ENC] generating CREATE_CHILD_SA request 6 [ N(REKEY_SA) N(IPCOMP_SUP) SA No KE TSi TSr ] 
00:04:37 charon:  04[NET] sending packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.254[4500] (684 bytes) 
00:04:37 charon:  04[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:04:37 charon:  04[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:04:37 charon:  04[MGR] check-in of IKE_SA successful. 
00:04:37 charon:  04[MGR] check-in of IKE_SA successful. 
00:04:38 charon:  14[MGR] checkout IKE_SA by message 
00:04:38 charon:  14[MGR] checkout IKE_SA by message 
00:04:38 charon:  14[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:04:38 charon:  14[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:04:38 charon:  14[NET] received packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.178[4500] (476 bytes) 
00:04:38 charon:  14[ENC] parsed CREATE_CHILD_SA response 6 [ N(IPCOMP_SUP) SA No KE TSi TSr ] 
00:04:38 charon:  14[IKE] received IPCOMP_SUPPORTED notify 
00:04:38 charon:  14[IKE] received IPCOMP_SUPPORTED notify 
00:04:38 charon:  14[CHD]   using AES_CBC for encryption 
00:04:38 charon:  14[CHD]   using AES_CBC for encryption 
00:04:38 charon:  14[CHD]   using HMAC_SHA1_96 for integrity 
00:04:38 charon:  14[CHD]   using HMAC_SHA1_96 for integrity 
00:04:38 charon:  14[CHD] adding inbound ESP SA 
00:04:38 charon:  14[CHD] adding inbound ESP SA 
00:04:38 charon:  14[CHD]   SPI 0xc7f0b970, src xxx.xxx.xxx.254 dst xxx.xxx.xxx.178 
00:04:38 charon:  14[CHD]   SPI 0xc7f0b970, src xxx.xxx.xxx.254 dst xxx.xxx.xxx.178 
00:04:38 charon:  14[CHD] adding outbound ESP SA 
00:04:38 charon:  14[CHD] adding outbound ESP SA 
00:04:38 charon:  14[CHD]   SPI 0xceea1f93, src xxx.xxx.xxx.178 dst xxx.xxx.xxx.254 
00:04:38 charon:  14[CHD]   SPI 0xceea1f93, src xxx.xxx.xxx.178 dst xxx.xxx.xxx.254 
00:04:38 charon:  14[IKE] CHILD_SA VpnEssenFrankfurt{277} established with SPIs c7f0b970_i ceea1f93_o and TS 192.168.241.0/24 === 10.2.34.0/24  
00:04:38 charon:  14[IKE] CHILD_SA VpnEssenFrankfurt{277} established with SPIs c7f0b970_i ceea1f93_o and TS 192.168.241.0/24 === 10.2.34.0/24  
00:04:38 charon:  14[IKE] reinitiating already active tasks 
00:04:38 charon:  14[IKE] reinitiating already active tasks 
00:04:38 charon:  14[IKE]   CHILD_REKEY task 
00:04:38 charon:  14[IKE]   CHILD_REKEY task 
00:04:38 charon:  14[IKE] closing CHILD_SA VpnEssenFrankfurt{277} with SPIs c3934b0a_i (143509 bytes) c65836f7_o (244242 bytes) and TS 192.168.241.0/24 === 10.2.34.0/24  
00:04:38 charon:  14[IKE] closing CHILD_SA VpnEssenFrankfurt{277} with SPIs c3934b0a_i (143509 bytes) c65836f7_o (244242 bytes) and TS 192.168.241.0/24 === 10.2.34.0/24  
00:04:38 charon:  14[IKE] sending DELETE for ESP CHILD_SA with SPI c3934b0a 
00:04:38 charon:  14[IKE] sending DELETE for ESP CHILD_SA with SPI c3934b0a 
00:04:38 charon:  14[ENC] generating INFORMATIONAL request 7 [ D ] 
00:04:38 charon:  14[NET] sending packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.254[4500] (76 bytes) 
00:04:38 charon:  14[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:04:38 charon:  14[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:04:38 charon:  14[MGR] check-in of IKE_SA successful. 
00:04:38 charon:  14[MGR] check-in of IKE_SA successful. 
00:04:38 charon:  15[MGR] checkout IKE_SA by message 
00:04:38 charon:  15[MGR] checkout IKE_SA by message 
00:04:38 charon:  15[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:04:38 charon:  15[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:04:38 charon:  15[NET] received packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.178[4500] (76 bytes) 
00:04:38 charon:  15[ENC] parsed INFORMATIONAL response 7 [ D ] 
00:04:38 charon:  15[IKE] received DELETE for ESP CHILD_SA with SPI c65836f7 
00:04:38 charon:  15[IKE] received DELETE for ESP CHILD_SA with SPI c65836f7 
00:04:38 charon:  15[IKE] CHILD_SA closed 
00:04:38 charon:  15[IKE] CHILD_SA closed 
00:04:38 charon:  15[IKE] activating new tasks 
00:04:38 charon:  15[IKE] activating new tasks 
00:04:38 charon:  15[IKE] nothing to initiate 
00:04:38 charon:  15[IKE] nothing to initiate 
00:04:38 charon:  15[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:04:38 charon:  15[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:04:38 charon:  15[MGR] check-in of IKE_SA successful. 
00:04:38 charon:  15[MGR] check-in of IKE_SA successful. 
00:04:41 charon:  16[MGR] checkout IKE_SA 
00:04:41 charon:  16[MGR] checkout IKE_SA 
00:04:41 charon:  16[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:04:41 charon:  16[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:04:41 charon:  16[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:04:41 charon:  16[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:04:41 charon:  16[MGR] check-in of IKE_SA successful. 
00:04:41 charon:  16[MGR] check-in of IKE_SA successful. 
00:04:42 charon:  03[MGR] checkout IKE_SA 
00:04:42 charon:  03[MGR] checkout IKE_SA 
00:04:42 charon:  03[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:04:42 charon:  03[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:04:42 charon:  03[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:04:42 charon:  03[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:04:42 charon:  03[MGR] check-in of IKE_SA successful. 
00:04:42 charon:  03[MGR] check-in of IKE_SA successful. 
00:04:55 charon:  05[MGR] checkout IKE_SA 
00:04:55 charon:  05[MGR] checkout IKE_SA 
00:04:55 charon:  05[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out 
00:04:55 charon:  05[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out 
00:04:55 charon:  05[MGR] checkin IKE_SA VpnEssenLimburg[359] 
00:04:55 charon:  05[MGR] checkin IKE_SA VpnEssenLimburg[359] 
00:04:55 charon:  05[MGR] check-in of IKE_SA successful. 
00:04:55 charon:  05[MGR] check-in of IKE_SA successful. 
00:05:29 charon:  14[MGR] checkout IKE_SA 
00:05:29 charon:  14[MGR] checkout IKE_SA 
00:05:29 charon:  14[MGR] IKE_SA VpnEssenFlorstadt[360] successfully checked out 
00:05:29 charon:  14[MGR] IKE_SA VpnEssenFlorstadt[360] successfully checked out 
00:05:29 charon:  14[MGR] checkin IKE_SA VpnEssenFlorstadt[360] 
00:05:29 charon:  14[MGR] checkin IKE_SA VpnEssenFlorstadt[360] 
00:05:29 charon:  14[MGR] check-in of IKE_SA successful. 
00:05:29 charon:  14[MGR] check-in of IKE_SA successful. 
00:06:27 charon:  07[MGR] checkout IKE_SA 
00:06:27 charon:  07[MGR] checkout IKE_SA 
00:06:27 charon:  07[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:06:27 charon:  07[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:06:27 charon:  07[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:06:27 charon:  07[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:06:27 charon:  07[MGR] check-in of IKE_SA successful. 
00:06:27 charon:  07[MGR] check-in of IKE_SA successful. 
00:06:54 charon:  01[MGR] checkout IKE_SA 
00:06:54 charon:  01[MGR] checkout IKE_SA 
00:06:54 charon:  01[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out 
00:06:54 charon:  01[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out 
00:06:54 charon:  01[MGR] checkin IKE_SA VpnEssenLimburg[359] 
00:06:54 charon:  01[MGR] checkin IKE_SA VpnEssenLimburg[359] 
00:06:54 charon:  01[MGR] check-in of IKE_SA successful. 
00:06:54 charon:  01[MGR] check-in of IKE_SA successful. 
00:07:29 charon:  11[MGR] checkout IKE_SA 
00:07:29 charon:  11[MGR] checkout IKE_SA 
00:07:29 charon:  11[MGR] IKE_SA VpnEssenFlorstadt[360] successfully checked out 
00:07:29 charon:  11[MGR] IKE_SA VpnEssenFlorstadt[360] successfully checked out 
00:07:29 charon:  11[MGR] checkin IKE_SA VpnEssenFlorstadt[360] 
00:07:29 charon:  11[MGR] checkin IKE_SA VpnEssenFlorstadt[360] 
00:07:29 charon:  11[MGR] check-in of IKE_SA successful. 
00:07:29 charon:  11[MGR] check-in of IKE_SA successful. 
00:08:27 charon:  15[MGR] checkout IKE_SA 
00:08:27 charon:  15[MGR] checkout IKE_SA 
00:08:27 charon:  15[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:08:27 charon:  15[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:08:27 charon:  15[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:08:27 charon:  15[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:08:27 charon:  15[MGR] check-in of IKE_SA successful. 
00:08:27 charon:  15[MGR] check-in of IKE_SA successful. 
00:08:53 charon:  11[MGR] checkout IKE_SA 
00:08:53 charon:  11[MGR] checkout IKE_SA 
00:08:53 charon:  11[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out 
00:08:53 charon:  11[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out 
00:08:53 charon:  11[MGR] checkin IKE_SA VpnEssenLimburg[359] 
00:08:53 charon:  11[MGR] checkin IKE_SA VpnEssenLimburg[359] 
00:08:53 charon:  11[MGR] check-in of IKE_SA successful. 
00:08:53 charon:  11[MGR] check-in of IKE_SA successful. 
00:09:28 charon:  14[MGR] checkout IKE_SA 
00:09:28 charon:  14[MGR] checkout IKE_SA 
00:09:28 charon:  14[MGR] IKE_SA VpnEssenFlorstadt[360] successfully checked out 
00:09:28 charon:  14[MGR] IKE_SA VpnEssenFlorstadt[360] successfully checked out 
00:09:28 charon:  14[MGR] checkin IKE_SA VpnEssenFlorstadt[360] 
00:09:28 charon:  14[MGR] checkin IKE_SA VpnEssenFlorstadt[360] 
00:09:28 charon:  14[MGR] check-in of IKE_SA successful. 
00:09:28 charon:  14[MGR] check-in of IKE_SA successful. 
00:10:27 charon:  01[MGR] checkout IKE_SA 
00:10:27 charon:  01[MGR] checkout IKE_SA 
00:10:27 charon:  01[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:10:27 charon:  01[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:10:27 charon:  01[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:10:27 charon:  01[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:10:27 charon:  01[MGR] check-in of IKE_SA successful. 
00:10:27 charon:  01[MGR] check-in of IKE_SA successful. 
00:10:34 charon:  04[MGR] checkout IKE_SA 
00:10:34 charon:  04[MGR] checkout IKE_SA 
00:10:34 charon:  04[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out 
00:10:34 charon:  04[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out 
00:10:34 charon:  04[MGR] checkin IKE_SA VpnEssenLimburg[359] 
00:10:34 charon:  04[MGR] checkin IKE_SA VpnEssenLimburg[359] 
00:10:34 charon:  04[MGR] check-in of IKE_SA successful. 
00:10:34 charon:  04[MGR] check-in of IKE_SA successful. 
00:11:27 charon:  06[MGR] checkout IKE_SA 
00:11:27 charon:  06[MGR] checkout IKE_SA 
00:11:27 charon:  06[MGR] IKE_SA VpnEssenFlorstadt[360] successfully checked out 
00:11:27 charon:  06[MGR] IKE_SA VpnEssenFlorstadt[360] successfully checked out 
00:11:27 charon:  06[MGR] checkin IKE_SA VpnEssenFlorstadt[360] 
00:11:27 charon:  06[MGR] checkin IKE_SA VpnEssenFlorstadt[360] 
00:11:27 charon:  06[MGR] check-in of IKE_SA successful. 
00:11:27 charon:  06[MGR] check-in of IKE_SA successful. 
00:11:27 charon:  07[MGR] checkout IKE_SA 
00:11:27 charon:  07[MGR] checkout IKE_SA 
00:11:27 charon:  07[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:11:27 charon:  07[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:11:27 charon:  07[IKE] sending DPD request 
00:11:27 charon:  07[IKE] sending DPD request 
00:11:27 charon:  07[IKE] queueing IKE_DPD task 
00:11:27 charon:  07[IKE] queueing IKE_DPD task 
00:11:27 charon:  07[IKE] activating new tasks 
00:11:27 charon:  07[IKE] activating new tasks 
00:11:27 charon:  07[IKE]   activating IKE_DPD task 
00:11:27 charon:  07[IKE]   activating IKE_DPD task 
00:11:27 charon:  07[ENC] generating INFORMATIONAL request 8 [ ] 
00:11:27 charon:  07[NET] sending packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.254[4500] (76 bytes) 
00:11:27 charon:  07[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:11:27 charon:  07[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:11:27 charon:  07[MGR] check-in of IKE_SA successful. 
00:11:27 charon:  07[MGR] check-in of IKE_SA successful. 
00:11:31 charon:  09[MGR] checkout IKE_SA 
00:11:31 charon:  09[MGR] checkout IKE_SA 
00:11:31 charon:  09[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:11:31 charon:  09[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:11:31 charon:  09[IKE] retransmit 1 of request with message ID 8 
00:11:31 charon:  09[IKE] retransmit 1 of request with message ID 8 
00:11:31 charon:  09[NET] sending packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.254[4500] (76 bytes) 
00:11:31 charon:  09[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:11:31 charon:  09[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:11:31 charon:  09[MGR] check-in of IKE_SA successful. 
00:11:31 charon:  09[MGR] check-in of IKE_SA successful. 
00:11:39 charon:  04[MGR] checkout IKE_SA 
00:11:39 charon:  04[MGR] checkout IKE_SA 
00:11:39 charon:  04[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:11:39 charon:  04[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:11:39 charon:  04[IKE] retransmit 2 of request with message ID 8 
00:11:39 charon:  04[IKE] retransmit 2 of request with message ID 8 
00:11:39 charon:  04[NET] sending packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.254[4500] (76 bytes) 
00:11:39 charon:  04[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:11:39 charon:  04[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:11:39 charon:  04[MGR] check-in of IKE_SA successful. 
00:11:39 charon:  04[MGR] check-in of IKE_SA successful. 
00:11:52 charon:  14[MGR] checkout IKE_SA 
00:11:52 charon:  14[MGR] checkout IKE_SA 
00:11:52 charon:  14[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:11:52 charon:  14[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:11:52 charon:  14[IKE] retransmit 3 of request with message ID 8 
00:11:52 charon:  14[IKE] retransmit 3 of request with message ID 8 
00:11:52 charon:  14[NET] sending packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.254[4500] (76 bytes) 
00:11:52 charon:  14[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:11:52 charon:  14[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:11:52 charon:  14[MGR] check-in of IKE_SA successful. 
00:11:52 charon:  14[MGR] check-in of IKE_SA successful. 
00:12:15 charon:  09[MGR] checkout IKE_SA 
00:12:15 charon:  09[MGR] checkout IKE_SA 
00:12:15 charon:  09[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:12:15 charon:  09[MGR] IKE_SA VpnEssenFrankfurt[358] successfully checked out 
00:12:15 charon:  09[IKE] retransmit 4 of request with message ID 8 
00:12:15 charon:  09[IKE] retransmit 4 of request with message ID 8 
00:12:15 charon:  09[NET] sending packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.254[4500] (76 bytes) 
00:12:15 charon:  09[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:12:15 charon:  09[MGR] checkin IKE_SA VpnEssenFrankfurt[358] 
00:12:15 charon:  09[MGR] check-in of IKE_SA successful. 
00:12:15 charon:  09[MGR] check-in of IKE_SA successful. 
00:12:26 charon:  04[KNL] creating rekey job for ESP CHILD_SA with SPI c1b5daf6 and reqid {274} 
00:12:26 charon:  04[MGR] checkout IKE_SA by ID 
00:12:26 charon:  04[MGR] checkout IKE_SA by ID 
00:12:26 charon:  04[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out 
00:12:26 charon:  04[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out 
00:12:26 charon:  04[IKE] queueing CHILD_REKEY task 
00:12:26 charon:  04[IKE] queueing CHILD_REKEY task 
00:12:26 charon:  04[IKE] activating new tasks 
00:12:26 charon:  04[IKE] activating new tasks 
00:12:26 charon:  04[IKE]   activating CHILD_REKEY task 
00:12:26 charon:  04[IKE]   activating CHILD_REKEY task 
00:12:26 charon:  04[IKE] establishing CHILD_SA VpnEssenLimburg{274} 
00:12:26 charon:  04[IKE] establishing CHILD_SA VpnEssenLimburg{274} 
00:12:26 charon:  04[ENC] generating CREATE_CHILD_SA request 6 [ N(REKEY_SA) N(IPCOMP_SUP) SA No KE TSi TSr ] 
00:12:26 charon:  04[NET] sending packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.211[4500] (684 bytes) 
00:12:26 charon:  04[MGR] checkin IKE_SA VpnEssenLimburg[359] 
00:12:26 charon:  04[MGR] checkin IKE_SA VpnEssenLimburg[359] 
00:12:26 charon:  04[MGR] check-in of IKE_SA successful. 
00:12:26 charon:  04[MGR] check-in of IKE_SA successful. 
00:12:28 charon:  15[MGR] checkout IKE_SA by message 
00:12:28 charon:  15[MGR] checkout IKE_SA by message 
00:12:28 charon:  15[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out 
00:12:28 charon:  15[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out 
00:12:28 charon:  15[NET] received packet: from xxx.xxx.xxx.211[4500] to xxx.xxx.xxx.178[4500] (476 bytes) 
00:12:28 charon:  15[ENC] parsed CREATE_CHILD_SA response 6 [ N(IPCOMP_SUP) SA No KE TSi TSr ] 
00:12:28 charon:  15[IKE] received IPCOMP_SUPPORTED notify 
00:12:28 charon:  15[IKE] received IPCOMP_SUPPORTED notify 
00:12:29 charon:  15[CHD]   using AES_CBC for encryption 
00:12:29 charon:  15[CHD]   using AES_CBC for encryption 
00:12:29 charon:  15[CHD]   using HMAC_SHA1_96 for integrity 
00:12:29 charon:  15[CHD]   using HMAC_SHA1_96 for integrity 
00:12:29 charon:  15[CHD] adding inbound ESP SA 
00:12:29 charon:  15[CHD] adding inbound ESP SA 
00:12:29 charon:  15[CHD]   SPI 0xc67aa799, src xxx.xxx.xxx.211 dst xxx.xxx.xxx.178 
00:12:29 charon:  15[CHD]   SPI 0xc67aa799, src xxx.xxx.xxx.211 dst xxx.xxx.xxx.178 
00:12:29 charon:  15[CHD] adding outbound ESP SA 
00:12:29 charon:  15[CHD] adding outbound ESP SA 
00:12:29 charon:  15[CHD]   SPI 0xcb8cbba1, src xxx.xxx.xxx.178 dst xxx.xxx.xxx.211 
00:12:29 charon:  15[CHD]   SPI 0xcb8cbba1, src xxx.xxx.xxx.178 dst xxx.xxx.xxx.211 
00:12:29 charon:  15[IKE] CHILD_SA VpnEssenLimburg{274} established with SPIs c67aa799_i cb8cbba1_o and TS 192.168.241.0/24 === 10.3.34.0/24  
00:12:29 charon:  15[IKE] CHILD_SA VpnEssenLimburg{274} established with SPIs c67aa799_i cb8cbba1_o and TS 192.168.241.0/24 === 10.3.34.0/24  
00:12:29 charon:  15[IKE] reinitiating already active tasks 
00:12:29 charon:  15[IKE] reinitiating already active tasks 
00:12:29 charon:  15[IKE]   CHILD_REKEY task 
00:12:29 charon:  15[IKE]   CHILD_REKEY task 
00:12:29 charon:  15[IKE] closing CHILD_SA VpnEssenLimburg{274} with SPIs c1b5daf6_i (74802 bytes) cf7e92e7_o (359517 bytes) and TS 192.168.241.0/24 === 10.3.34.0/24  
00:12:29 charon:  15[IKE] closing CHILD_SA VpnEssenLimburg{274} with SPIs c1b5daf6_i (74802 bytes) cf7e92e7_o (359517 bytes) and TS 192.168.241.0/24 === 10.3.34.0/24  
00:12:29 charon:  15[IKE] sending DELETE for ESP CHILD_SA with SPI c1b5daf6 
00:12:29 charon:  15[IKE] sending DELETE for ESP CHILD_SA with SPI c1b5daf6 
00:12:29 charon:  15[ENC] generating INFORMATIONAL request 7 [ D ] 
00:12:29 charon:  15[NET] sending packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.211[4500] (76 bytes) 
00:12:29 charon:  15[MGR] checkin IKE_SA VpnEssenLimburg[359] 
00:12:29 charon:  15[MGR] checkin IKE_SA VpnEssenLimburg[359] 
00:12:29 charon:  15[MGR] check-in of IKE_SA successful. 
00:12:29 charon:  15[MGR] check-in of IKE_SA successful. 
00:12:29 charon:  16[MGR] checkout IKE_SA by message 
00:12:29 charon:  16[MGR] checkout IKE_SA by message 
00:12:29 charon:  16[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out 
00:12:29 charon:  16[MGR] IKE_SA VpnEssenLimburg[359] successfully checked out 
00:12:29 charon:  16[NET] received packet: from xxx.xxx.xxx.211[4500] to xxx.xxx.xxx.178[4500] (76 bytes) 
00:12:29 charon:  16[ENC] parsed INFORMATIONAL response 7 [ D ] 
00:12:29 charon:  16[IKE] received DELETE for ESP CHILD_SA with SPI cf7e92e7 
00:12:29 charon:  16[IKE] received DELETE for ESP CHILD_SA with SPI cf7e92e7 
00:12:29 charon:  16[IKE] CHILD_SA closed 
00:12:29 charon:  16[IKE] CHILD_SA closed 


Log entries from our device in Frankfurt
----------------------------------------
00:04:37 charon:  08[NET] received packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.254[4500] (684 bytes) 
00:04:37 charon:  08[ENC] parsed CREATE_CHILD_SA request 6 [ N(REKEY_SA) N(IPCOMP_SUP) SA No KE TSi TSr ] 
00:04:38 charon:  08[KNL] getting CPI for reqid {278} 
00:04:38 charon:  08[KNL] getting CPI for reqid {278} 
00:04:38 charon:  08[KNL] got CPI e971 for reqid {278} 
00:04:38 charon:  08[KNL] got CPI e971 for reqid {278} 
00:04:38 charon:  08[KNL] getting SPI for reqid {278} 
00:04:38 charon:  08[KNL] getting SPI for reqid {278} 
00:04:38 charon:  08[KNL] got SPI ceea1f93 for reqid {278} 
00:04:38 charon:  08[KNL] got SPI ceea1f93 for reqid {278} 
00:04:38 charon:  08[CHD]   using AES_CBC for encryption 
00:04:38 charon:  08[CHD]   using AES_CBC for encryption 
00:04:38 charon:  08[CHD]   using HMAC_SHA1_96 for integrity 
00:04:38 charon:  08[CHD]   using HMAC_SHA1_96 for integrity 
00:04:38 charon:  08[CHD] adding inbound ESP SA 
00:04:38 charon:  08[CHD] adding inbound ESP SA 
00:04:38 charon:  08[CHD]   SPI 0xceea1f93, src xxx.xxx.xxx.178 dst xxx.xxx.xxx.254 
00:04:38 charon:  08[CHD]   SPI 0xceea1f93, src xxx.xxx.xxx.178 dst xxx.xxx.xxx.254 
00:04:38 charon:  08[KNL] adding SAD entry with SPI 0000e971 and reqid {278}  (mark 0/0x00000000) 
00:04:38 charon:  08[KNL] adding SAD entry with SPI 0000e971 and reqid {278}  (mark 0/0x00000000) 
00:04:38 charon:  08[KNL]   using compression algorithm IPCOMP_DEFLATE 
00:04:38 charon:  08[KNL]   using compression algorithm IPCOMP_DEFLATE 
00:04:38 charon:  08[KNL] adding SAD entry with SPI ceea1f93 and reqid {278}  (mark 0/0x00000000) 
00:04:38 charon:  08[KNL] adding SAD entry with SPI ceea1f93 and reqid {278}  (mark 0/0x00000000) 
00:04:38 charon:  08[KNL]   using encryption algorithm AES_CBC with key size 128 
00:04:38 charon:  08[KNL]   using encryption algorithm AES_CBC with key size 128 
00:04:38 charon:  08[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160 
00:04:38 charon:  08[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160 
00:04:38 charon:  08[KNL]   using replay window of 32 packets 
00:04:38 charon:  08[KNL]   using replay window of 32 packets 
00:04:38 charon:  08[CHD] adding outbound ESP SA 
00:04:38 charon:  08[CHD] adding outbound ESP SA 
00:04:38 charon:  08[CHD]   SPI 0xc7f0b970, src xxx.xxx.xxx.254 dst xxx.xxx.xxx.178 
00:04:38 charon:  08[CHD]   SPI 0xc7f0b970, src xxx.xxx.xxx.254 dst xxx.xxx.xxx.178 
00:04:38 charon:  08[KNL] adding SAD entry with SPI 00005576 and reqid {278}  (mark 0/0x00000000) 
00:04:38 charon:  08[KNL] adding SAD entry with SPI 00005576 and reqid {278}  (mark 0/0x00000000) 
00:04:38 charon:  08[KNL]   using compression algorithm IPCOMP_DEFLATE 
00:04:38 charon:  08[KNL]   using compression algorithm IPCOMP_DEFLATE 
00:04:38 charon:  08[KNL] adding SAD entry with SPI c7f0b970 and reqid {278}  (mark 0/0x00000000) 
00:04:38 charon:  08[KNL] adding SAD entry with SPI c7f0b970 and reqid {278}  (mark 0/0x00000000) 
00:04:38 charon:  08[KNL]   using encryption algorithm AES_CBC with key size 128 
00:04:38 charon:  08[KNL]   using encryption algorithm AES_CBC with key size 128 
00:04:38 charon:  08[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160 
00:04:38 charon:  08[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160 
00:04:38 charon:  08[KNL]   using replay window of 32 packets 
00:04:38 charon:  08[KNL]   using replay window of 32 packets 
00:04:38 charon:  08[KNL] policy 10.2.34.0/24 === 192.168.241.0/24 out  (mark 0/0x00000000) already exists, increasing refcount 
00:04:38 charon:  08[KNL] policy 10.2.34.0/24 === 192.168.241.0/24 out  (mark 0/0x00000000) already exists, increasing refcount 
00:04:38 charon:  08[KNL] policy 192.168.241.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) already exists, increasing refcount 
00:04:38 charon:  08[KNL] policy 192.168.241.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) already exists, increasing refcount 
00:04:38 charon:  08[KNL] policy 192.168.241.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) already exists, increasing refcount 
00:04:38 charon:  08[KNL] policy 192.168.241.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) already exists, increasing refcount 
00:04:38 charon:  08[KNL] policy 10.2.34.0/24 === 192.168.241.0/24 out  (mark 0/0x00000000) already exists, increasing refcount 
00:04:38 charon:  08[KNL] policy 10.2.34.0/24 === 192.168.241.0/24 out  (mark 0/0x00000000) already exists, increasing refcount 
00:04:38 charon:  08[KNL] updating policy 10.2.34.0/24 === 192.168.241.0/24 out  (mark 0/0x00000000) 
00:04:38 charon:  08[KNL] updating policy 10.2.34.0/24 === 192.168.241.0/24 out  (mark 0/0x00000000) 
00:04:38 charon:  08[KNL] policy 192.168.241.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) already exists, increasing refcount 
00:04:38 charon:  08[KNL] policy 192.168.241.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) already exists, increasing refcount 
00:04:38 charon:  08[KNL] updating policy 192.168.241.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:04:38 charon:  08[KNL] updating policy 192.168.241.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:04:38 charon:  08[KNL] policy 192.168.241.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) already exists, increasing refcount 
00:04:38 charon:  08[KNL] policy 192.168.241.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) already exists, increasing refcount 
00:04:38 charon:  08[KNL] updating policy 192.168.241.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:04:38 charon:  08[KNL] updating policy 192.168.241.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:04:38 charon:  08[KNL] getting a local address in traffic selector 10.2.34.0/24 
00:04:38 charon:  08[KNL] getting a local address in traffic selector 10.2.34.0/24 
00:04:38 charon:  08[KNL] using host 10.2.34.1 
00:04:38 charon:  08[KNL] using host 10.2.34.1 
00:04:38 charon:  08[KNL] using xxx.xxx.xxx.253 as nexthop to reach xxx.xxx.xxx.178/32 
00:04:38 charon:  08[KNL] using xxx.xxx.xxx.253 as nexthop to reach xxx.xxx.xxx.178/32 
00:04:38 charon:  08[KNL] xxx.xxx.xxx.254 is on interface red0 
00:04:38 charon:  08[KNL] xxx.xxx.xxx.254 is on interface red0 
00:04:38 charon:  08[IKE] CHILD_SA VpnFrankfurtEssen{278} established with SPIs ceea1f93_i c7f0b970_o and TS 10.2.34.0/24 === 192.168.241.0/24  
00:04:38 charon:  08[IKE] CHILD_SA VpnFrankfurtEssen{278} established with SPIs ceea1f93_i c7f0b970_o and TS 10.2.34.0/24 === 192.168.241.0/24  
00:04:38 charon:  08[ENC] generating CREATE_CHILD_SA response 6 [ N(IPCOMP_SUP) SA No KE TSi TSr ] 
00:04:38 charon:  08[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.178[4500] (476 bytes) 
00:04:38 charon:  07[NET] received packet: from xxx.xxx.xxx.178[4500] to xxx.xxx.xxx.254[4500] (76 bytes) 
00:04:38 charon:  07[ENC] parsed INFORMATIONAL request 7 [ D ] 
00:04:38 charon:  07[IKE] received DELETE for ESP CHILD_SA with SPI c3934b0a 
00:04:38 charon:  07[IKE] received DELETE for ESP CHILD_SA with SPI c3934b0a 
00:04:38 charon:  07[KNL] querying SAD entry with SPI c65836f7  (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] querying SAD entry with SPI c65836f7  (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] querying SAD entry with SPI c3934b0a  (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] querying SAD entry with SPI c3934b0a  (mark 0/0x00000000) 
00:04:38 charon:  07[IKE] closing CHILD_SA VpnFrankfurtEssen{278} with SPIs c65836f7_i (244242 bytes) c3934b0a_o (143509 bytes) and TS 10.2.34.0/24 === 192.168.241.0/24  
00:04:38 charon:  07[IKE] closing CHILD_SA VpnFrankfurtEssen{278} with SPIs c65836f7_i (244242 bytes) c3934b0a_o (143509 bytes) and TS 10.2.34.0/24 === 192.168.241.0/24  
00:04:38 charon:  07[IKE] sending DELETE for ESP CHILD_SA with SPI c65836f7 
00:04:38 charon:  07[IKE] sending DELETE for ESP CHILD_SA with SPI c65836f7 
00:04:38 charon:  07[IKE] CHILD_SA closed 
00:04:38 charon:  07[IKE] CHILD_SA closed 
00:04:38 charon:  07[KNL] deleting SAD entry with SPI 000098d8  (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] deleting SAD entry with SPI 000098d8  (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] deleted SAD entry with SPI 000098d8 (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] deleted SAD entry with SPI 000098d8 (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] deleting SAD entry with SPI c65836f7  (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] deleting SAD entry with SPI c65836f7  (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] deleted SAD entry with SPI c65836f7 (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] deleted SAD entry with SPI c65836f7 (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] deleting SAD entry with SPI 0000ad25  (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] deleting SAD entry with SPI 0000ad25  (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] deleted SAD entry with SPI 0000ad25 (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] deleted SAD entry with SPI 0000ad25 (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] deleting SAD entry with SPI c3934b0a  (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] deleting SAD entry with SPI c3934b0a  (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] deleted SAD entry with SPI c3934b0a (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] deleted SAD entry with SPI c3934b0a (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] deleting policy 10.2.34.0/24 === 192.168.241.0/24 out  (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] deleting policy 10.2.34.0/24 === 192.168.241.0/24 out  (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] policy still used by another CHILD_SA, not removed 
00:04:38 charon:  07[KNL] policy still used by another CHILD_SA, not removed 
00:04:38 charon:  07[KNL] updating policy 10.2.34.0/24 === 192.168.241.0/24 out  (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] updating policy 10.2.34.0/24 === 192.168.241.0/24 out  (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] deleting policy 192.168.241.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] deleting policy 192.168.241.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] policy still used by another CHILD_SA, not removed 
00:04:38 charon:  07[KNL] policy still used by another CHILD_SA, not removed 
00:04:38 charon:  07[KNL] updating policy 192.168.241.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] updating policy 192.168.241.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:04:38 charon:  07[KNL] deleting policy 192.168.241.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:04:39 charon:  07[KNL] deleting policy 192.168.241.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:04:39 charon:  07[KNL] policy still used by another CHILD_SA, not removed 
00:04:39 charon:  07[KNL] policy still used by another CHILD_SA, not removed 
00:04:39 charon:  07[KNL] updating policy 192.168.241.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:04:39 charon:  07[KNL] updating policy 192.168.241.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:04:39 charon:  07[KNL] getting a local address in traffic selector 10.2.34.0/24 
00:04:39 charon:  07[KNL] getting a local address in traffic selector 10.2.34.0/24 
00:04:39 charon:  07[KNL] using host 10.2.34.1 
00:04:39 charon:  07[KNL] using host 10.2.34.1 
00:04:39 charon:  07[KNL] using xxx.xxx.xxx.253 as nexthop to reach xxx.xxx.xxx.178/32 
00:04:39 charon:  07[KNL] using xxx.xxx.xxx.253 as nexthop to reach xxx.xxx.xxx.178/32 
00:04:39 charon:  07[KNL] xxx.xxx.xxx.254 is on interface red0 
00:04:39 charon:  07[KNL] xxx.xxx.xxx.254 is on interface red0 
00:04:39 charon:  07[KNL] deleting policy 10.2.34.0/24 === 192.168.241.0/24 out  (mark 0/0x00000000) 
00:04:39 charon:  07[KNL] deleting policy 10.2.34.0/24 === 192.168.241.0/24 out  (mark 0/0x00000000) 
00:04:39 charon:  07[KNL] policy still used by another CHILD_SA, not removed 
00:04:39 charon:  07[KNL] policy still used by another CHILD_SA, not removed 
00:04:39 charon:  07[KNL] deleting policy 192.168.241.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:04:39 charon:  07[KNL] deleting policy 192.168.241.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:04:39 charon:  07[KNL] policy still used by another CHILD_SA, not removed 
00:04:39 charon:  07[KNL] policy still used by another CHILD_SA, not removed 
00:04:39 charon:  07[KNL] deleting policy 192.168.241.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:04:39 charon:  07[KNL] deleting policy 192.168.241.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:04:39 charon:  07[KNL] policy still used by another CHILD_SA, not removed 
00:04:39 charon:  07[KNL] policy still used by another CHILD_SA, not removed 
00:04:39 charon:  07[ENC] generating INFORMATIONAL response 7 [ D ] 
00:04:39 charon:  07[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.178[4500] (76 bytes) 
00:05:15 charon:  13[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:05:15 charon:  13[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:05:15 charon:  13[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:05:15 charon:  13[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:05:47 charon:  05[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:05:47 charon:  05[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:05:47 charon:  05[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:05:47 charon:  05[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:06:16 charon:  05[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:06:16 charon:  05[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:06:16 charon:  05[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:06:16 charon:  05[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:07:15 charon:  09[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:07:15 charon:  09[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:07:15 charon:  09[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:07:15 charon:  09[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:07:47 charon:  09[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:07:47 charon:  09[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:07:47 charon:  09[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:07:47 charon:  09[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:08:16 charon:  07[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:08:16 charon:  07[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:08:16 charon:  07[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:08:16 charon:  07[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:09:15 charon:  08[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:09:15 charon:  08[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:09:15 charon:  08[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:09:15 charon:  08[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:09:47 charon:  16[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:09:47 charon:  16[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:09:47 charon:  16[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:09:47 charon:  16[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:10:15 charon:  13[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:10:15 charon:  13[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:10:15 charon:  13[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:10:15 charon:  13[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:11:11 charon:  05[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:11:11 charon:  05[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:11:11 charon:  05[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:11:11 charon:  05[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:11:15 charon:  15[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:11:15 charon:  15[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:11:15 charon:  15[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:11:15 charon:  15[KNL] querying policy 10.4.34.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:11:15 charon:  15[IKE] sending DPD request 
00:11:15 charon:  15[IKE] sending DPD request 
00:11:15 charon:  15[IKE] queueing IKE_DPD task 
00:11:15 charon:  15[IKE] queueing IKE_DPD task 
00:11:15 charon:  15[IKE] activating new tasks 
00:11:15 charon:  15[IKE] activating new tasks 
00:11:15 charon:  15[IKE]   activating IKE_DPD task 
00:11:15 charon:  15[IKE]   activating IKE_DPD task 
00:11:15 charon:  15[ENC] generating INFORMATIONAL request 6 [ ] 
00:11:15 charon:  15[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.238[4500] (76 bytes) 
00:11:19 charon:  08[IKE] retransmit 1 of request with message ID 6 
00:11:19 charon:  08[IKE] retransmit 1 of request with message ID 6 
00:11:19 charon:  08[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.238[4500] (76 bytes) 
00:11:27 charon:  03[IKE] retransmit 2 of request with message ID 6 
00:11:27 charon:  03[IKE] retransmit 2 of request with message ID 6 
00:11:27 charon:  03[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.238[4500] (76 bytes) 
00:11:27 charon:  14[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:11:27 charon:  14[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:11:27 charon:  14[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:11:27 charon:  14[KNL] querying policy 192.168.241.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:11:27 charon:  14[IKE] sending DPD request 
00:11:27 charon:  14[IKE] sending DPD request 
00:11:27 charon:  14[IKE] queueing IKE_DPD task 
00:11:27 charon:  14[IKE] queueing IKE_DPD task 
00:11:27 charon:  14[IKE] activating new tasks 
00:11:27 charon:  14[IKE] activating new tasks 
00:11:27 charon:  14[IKE]   activating IKE_DPD task 
00:11:27 charon:  14[IKE]   activating IKE_DPD task 
00:11:27 charon:  14[ENC] generating INFORMATIONAL request 2 [ ] 
00:11:27 charon:  14[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.178[4500] (76 bytes) 
00:11:27 charon:  13[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:11:27 charon:  13[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 in  (mark 0/0x00000000) 
00:11:27 charon:  13[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:11:27 charon:  13[KNL] querying policy 10.3.34.0/24 === 10.2.34.0/24 fwd  (mark 0/0x00000000) 
00:11:27 charon:  13[IKE] sending DPD request 
00:11:27 charon:  13[IKE] sending DPD request 
00:11:27 charon:  13[IKE] queueing IKE_DPD task 
00:11:27 charon:  13[IKE] queueing IKE_DPD task 
00:11:27 charon:  13[IKE] activating new tasks 
00:11:27 charon:  13[IKE] activating new tasks 
00:11:27 charon:  13[IKE]   activating IKE_DPD task 
00:11:27 charon:  13[IKE]   activating IKE_DPD task 
00:11:27 charon:  13[ENC] generating INFORMATIONAL request 6 [ ] 
00:11:27 charon:  13[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.211[4500] (76 bytes) 
00:11:31 charon:  15[IKE] retransmit 1 of request with message ID 2 
00:11:31 charon:  15[IKE] retransmit 1 of request with message ID 2 
00:11:31 charon:  15[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.178[4500] (76 bytes) 
00:11:31 charon:  01[IKE] retransmit 1 of request with message ID 6 
00:11:31 charon:  01[IKE] retransmit 1 of request with message ID 6 
00:11:31 charon:  01[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.211[4500] (76 bytes) 
00:11:38 charon:  12[IKE] retransmit 2 of request with message ID 2 
00:11:38 charon:  12[IKE] retransmit 2 of request with message ID 2 
00:11:38 charon:  12[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.178[4500] (76 bytes) 
00:11:38 charon:  16[IKE] retransmit 2 of request with message ID 6 
00:11:38 charon:  16[IKE] retransmit 2 of request with message ID 6 
00:11:38 charon:  16[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.211[4500] (76 bytes) 
00:11:40 charon:  13[IKE] retransmit 3 of request with message ID 6 
00:11:40 charon:  13[IKE] retransmit 3 of request with message ID 6 
00:11:40 charon:  13[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.238[4500] (76 bytes) 
00:11:51 charon:  09[IKE] retransmit 3 of request with message ID 2 
00:11:51 charon:  09[IKE] retransmit 3 of request with message ID 2 
00:11:51 charon:  09[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.178[4500] (76 bytes) 
00:11:51 charon:  08[IKE] retransmit 3 of request with message ID 6 
00:11:51 charon:  08[IKE] retransmit 3 of request with message ID 6 
00:11:51 charon:  08[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.211[4500] (76 bytes) 
00:12:03 charon:  13[IKE] retransmit 4 of request with message ID 6 
00:12:03 charon:  13[IKE] retransmit 4 of request with message ID 6 
00:12:03 charon:  13[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.238[4500] (76 bytes) 
00:12:14 charon:  09[IKE] retransmit 4 of request with message ID 2 
00:12:14 charon:  09[IKE] retransmit 4 of request with message ID 2 
00:12:14 charon:  09[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.178[4500] (76 bytes) 
00:12:15 charon:  08[IKE] retransmit 4 of request with message ID 6 
00:12:15 charon:  08[IKE] retransmit 4 of request with message ID 6 
00:12:15 charon:  08[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.211[4500] (76 bytes) 
00:12:45 charon:  16[IKE] retransmit 5 of request with message ID 6 
00:12:45 charon:  16[IKE] retransmit 5 of request with message ID 6 
00:12:45 charon:  16[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.238[4500] (76 bytes) 
00:12:56 charon:  15[IKE] retransmit 5 of request with message ID 2 
00:12:56 charon:  15[IKE] retransmit 5 of request with message ID 2 
00:12:56 charon:  15[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.178[4500] (76 bytes) 
00:12:57 charon:  01[IKE] retransmit 5 of request with message ID 6 
00:12:57 charon:  01[IKE] retransmit 5 of request with message ID 6 
00:12:57 charon:  01[NET] sending packet: from xxx.xxx.xxx.254[4500] to xxx.xxx.xxx.211[4500] (76 bytes) 
00:14:00 charon:  03[IKE] giving up after 5 retransmits 
00:14:00 charon:  03[IKE] giving up after 5 retransmits 


Updown script executions in Frankfurt
-------------------------------------
The connection failed at or before 00:11:30 according to Icinga, even before the updown script was executed. Of course all times are synced.
Feb 11 22:05:36 gateway charon: 05[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='VpnFrankfurtFlorstadt' PLUTO_INTERFACE='red0' PLUTO_REQID='283' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18795' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.238' PLUTO_PEER_ID='xxx.xxx.xxx.238' PLUTO_PEER_CLIENT='10.4.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 11 22:05:36 gateway charon: 05[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='VpnFrankfurtFlorstadt' PLUTO_INTERFACE='red0' PLUTO_REQID='283' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18795' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.238' PLUTO_PEER_ID='xxx.xxx.xxx.238' PLUTO_PEER_CLIENT='10.4.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:01 gateway charon: 03[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='VpnFrankfurtFlorstadt' PLUTO_INTERFACE='red0' PLUTO_REQID='283' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18795' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.238' PLUTO_PEER_ID='xxx.xxx.xxx.238' PLUTO_PEER_CLIENT='10.4.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:01 gateway charon: 03[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='VpnFrankfurtFlorstadt' PLUTO_INTERFACE='red0' PLUTO_REQID='283' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18795' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.238' PLUTO_PEER_ID='xxx.xxx.xxx.238' PLUTO_PEER_CLIENT='10.4.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:12 gateway charon: 09[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='VpnFrankfurtEssen' PLUTO_INTERFACE='red0' PLUTO_REQID='278' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18793' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.178' PLUTO_PEER_ID='xxx.xxx.xxx.178' PLUTO_PEER_CLIENT='192.168.241.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:12 gateway charon: 09[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='VpnFrankfurtEssen' PLUTO_INTERFACE='red0' PLUTO_REQID='278' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18793' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.178' PLUTO_PEER_ID='xxx.xxx.xxx.178' PLUTO_PEER_CLIENT='192.168.241.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:13 gateway charon: 07[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='VpnFrankfurtLimburg' PLUTO_INTERFACE='red0' PLUTO_REQID='289' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18794' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.211' PLUTO_PEER_ID='xxx.xxx.xxx.211' PLUTO_PEER_CLIENT='10.3.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:13 gateway charon: 07[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='VpnFrankfurtLimburg' PLUTO_INTERFACE='red0' PLUTO_REQID='289' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18794' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.211' PLUTO_PEER_ID='xxx.xxx.xxx.211' PLUTO_PEER_CLIENT='10.3.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:38 gateway charon: 09[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='VpnFrankfurtEssen' PLUTO_INTERFACE='red0' PLUTO_REQID='291' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18799' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.178' PLUTO_PEER_ID='xxx.xxx.xxx.178' PLUTO_PEER_CLIENT='192.168.241.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:38 gateway charon: 09[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='VpnFrankfurtEssen' PLUTO_INTERFACE='red0' PLUTO_REQID='291' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18799' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.178' PLUTO_PEER_ID='xxx.xxx.xxx.178' PLUTO_PEER_CLIENT='192.168.241.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:40 gateway charon: 03[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='VpnFrankfurtLimburg' PLUTO_INTERFACE='red0' PLUTO_REQID='292' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18800' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.211' PLUTO_PEER_ID='xxx.xxx.xxx.211' PLUTO_PEER_CLIENT='10.3.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:40 gateway charon: 03[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='VpnFrankfurtLimburg' PLUTO_INTERFACE='red0' PLUTO_REQID='292' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18800' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.211' PLUTO_PEER_ID='xxx.xxx.xxx.211' PLUTO_PEER_CLIENT='10.3.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:41 gateway charon: 05[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='VpnFrankfurtLimburg' PLUTO_INTERFACE='red0' PLUTO_REQID='292' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18800' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.211' PLUTO_PEER_ID='xxx.xxx.xxx.211' PLUTO_PEER_CLIENT='10.3.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:41 gateway charon: 05[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='VpnFrankfurtLimburg' PLUTO_INTERFACE='red0' PLUTO_REQID='292' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18800' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.211' PLUTO_PEER_ID='xxx.xxx.xxx.211' PLUTO_PEER_CLIENT='10.3.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:49 gateway charon: 03[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='VpnFrankfurtFlorstadt' PLUTO_INTERFACE='red0' PLUTO_REQID='293' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18801' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.238' PLUTO_PEER_ID='xxx.xxx.xxx.238' PLUTO_PEER_CLIENT='10.4.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:14:49 gateway charon: 03[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='VpnFrankfurtFlorstadt' PLUTO_INTERFACE='red0' PLUTO_REQID='293' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18801' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.238' PLUTO_PEER_ID='xxx.xxx.xxx.238' PLUTO_PEER_CLIENT='10.4.34.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:15:01 gateway charon: 11[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='VpnFrankfurtEssen' PLUTO_INTERFACE='red0' PLUTO_REQID='291' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18799' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.178' PLUTO_PEER_ID='xxx.xxx.xxx.178' PLUTO_PEER_CLIENT='192.168.241.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables
Feb 12 00:15:01 gateway charon: 11[CHD] running updown script: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='VpnFrankfurtEssen' PLUTO_INTERFACE='red0' PLUTO_REQID='291' PLUTO_PROTO='esp' PLUTO_UNIQUEID='18799' PLUTO_ME='xxx.xxx.xxx.254' PLUTO_MY_ID='xxx.xxx.xxx.254' PLUTO_MY_CLIENT='10.2.34.0/24' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.178' PLUTO_PEER_ID='xxx.xxx.xxx.178' PLUTO_PEER_CLIENT='192.168.241.0/24' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_IPCOMP='1' PLUTO_HOST_ACCESS='1' ipsec _updown iptables


IPsec status in Essen before connection lost
--------------------------------------------
Time: 2015-02-12 00:01:00
Status of IKE charon daemon (strongSwan 5.2.0, Linux 3.10.44-ipfire, i686):
  uptime: 33 days, since Jan 09 15:53:38 2015
  malloc: sbrk 341152, mmap 0, used 188440, free 152712
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 11
  loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-noauth dhcp
Listening IP addresses:
  192.168.241.67
  xxx.xxx.xxx.178
Connections:
VpnEssenFrankfurt:  xxx.xxx.xxx.178...xxx.xxx.xxx.254  IKEv2, dpddelay=120s
VpnEssenFrankfurt:   local:  [xxx.xxx.xxx.178] uses pre-shared key authentication
VpnEssenFrankfurt:   remote: [xxx.xxx.xxx.254] uses pre-shared key authentication
VpnEssenFrankfurt:   child:  192.168.241.0/24 === 10.2.34.0/24 TUNNEL, dpdaction=restart
VpnEssenLimburg:  xxx.xxx.xxx.178...xxx.xxx.xxx.211  IKEv2, dpddelay=120s
VpnEssenLimburg:   local:  [xxx.xxx.xxx.178] uses pre-shared key authentication
VpnEssenLimburg:   remote: [xxx.xxx.xxx.211] uses pre-shared key authentication
VpnEssenLimburg:   child:  192.168.241.0/24 === 10.3.34.0/24 TUNNEL, dpdaction=restart
VpnEssenFlorstadt:  xxx.xxx.xxx.178...xxx.xxx.xxx.238  IKEv2, dpddelay=120s
VpnEssenFlorstadt:   local:  [xxx.xxx.xxx.178] uses pre-shared key authentication
VpnEssenFlorstadt:   remote: [xxx.xxx.xxx.238] uses pre-shared key authentication
VpnEssenFlorstadt:   child:  192.168.241.0/24 === 10.4.34.0/24 TUNNEL, dpdaction=restart
Security Associations (3 up, 0 connecting):
VpnEssenFlorstadt[360]: ESTABLISHED 113 minutes ago, xxx.xxx.xxx.178[xxx.xxx.xxx.178]...xxx.xxx.xxx.238[xxx.xxx.xxx.238]
VpnEssenFlorstadt[360]: IKEv2 SPIs: 1672e20e09f964cb_i* c81d2964432ed277_r, pre-shared key reauthentication in 5 hours
VpnEssenFlorstadt[360]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
VpnEssenFlorstadt{268}:  INSTALLED, TUNNEL, ESP SPIs: ca3ebd84_i c3ece683_o, IPCOMP CPIs: bba4_i 3cd1_o
VpnEssenFlorstadt{268}:  AES_CBC_128/HMAC_SHA1_96, 25470 bytes_i (294 pkts, 4s ago), 24764 bytes_o (294 pkts, 4s ago), rekeying in 17 minutes
VpnEssenFlorstadt{268}:   192.168.241.0/24 === 10.4.34.0/24
VpnEssenLimburg[359]: ESTABLISHED 2 hours ago, xxx.xxx.xxx.178[xxx.xxx.xxx.178]...xxx.xxx.xxx.211[xxx.xxx.xxx.211]
VpnEssenLimburg[359]: IKEv2 SPIs: 482ada766f1f01ff_i* 199b67e53b708df5_r, pre-shared key reauthentication in 5 hours
VpnEssenLimburg[359]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
VpnEssenLimburg{274}:  INSTALLED, TUNNEL, ESP SPIs: c1b5daf6_i cf7e92e7_o, IPCOMP CPIs: b933_i 6d88_o
VpnEssenLimburg{274}:  AES_CBC_128/HMAC_SHA1_96, 55007 bytes_i (656 pkts, 3s ago), 264761 bytes_o (3214 pkts, 1s ago), rekeying in 11 minutes
VpnEssenLimburg{274}:   192.168.241.0/24 === 10.3.34.0/24
VpnEssenFrankfurt[358]: ESTABLISHED 3 hours ago, xxx.xxx.xxx.178[xxx.xxx.xxx.178]...xxx.xxx.xxx.254[xxx.xxx.xxx.254]
VpnEssenFrankfurt[358]: IKEv2 SPIs: 860cc9d8fb9eb58f_i 9dfc6304cfe9da7e_r*, pre-shared key reauthentication in 4 hours
VpnEssenFrankfurt[358]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
VpnEssenFrankfurt{277}:  INSTALLED, TUNNEL, ESP SPIs: c3934b0a_i c65836f7_o, IPCOMP CPIs: ad25_i 98d8_o
VpnEssenFrankfurt{277}:  AES_CBC_128/HMAC_SHA1_96, 132588 bytes_i (1402 pkts, 1s ago), 225100 bytes_o (1449 pkts, 1s ago), rekeying in 3 minutes
VpnEssenFrankfurt{277}:   192.168.241.0/24 === 10.2.34.0/24


IPsec status in Essen after connection lost + updown script
-----------------------------------------------------------
Time: 2015-02-12 01:01:00
Status of IKE charon daemon (strongSwan 5.2.0, Linux 3.10.44-ipfire, i686):
  uptime: 33 days, since Jan 09 15:53:38 2015
  malloc: sbrk 341152, mmap 0, used 180864, free 160288
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 15
  loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-noauth dhcp
Listening IP addresses:
  192.168.241.67
  xxx.xxx.xxx.178
Connections:
VpnEssenFrankfurt:  xxx.xxx.xxx.178...xxx.xxx.xxx.254  IKEv2, dpddelay=120s
VpnEssenFrankfurt:   local:  [xxx.xxx.xxx.178] uses pre-shared key authentication
VpnEssenFrankfurt:   remote: [xxx.xxx.xxx.254] uses pre-shared key authentication
VpnEssenFrankfurt:   child:  192.168.241.0/24 === 10.2.34.0/24 TUNNEL, dpdaction=restart
VpnEssenLimburg:  xxx.xxx.xxx.178...xxx.xxx.xxx.211  IKEv2, dpddelay=120s
VpnEssenLimburg:   local:  [xxx.xxx.xxx.178] uses pre-shared key authentication
VpnEssenLimburg:   remote: [xxx.xxx.xxx.211] uses pre-shared key authentication
VpnEssenLimburg:   child:  192.168.241.0/24 === 10.3.34.0/24 TUNNEL, dpdaction=restart
VpnEssenFlorstadt:  xxx.xxx.xxx.178...xxx.xxx.xxx.238  IKEv2, dpddelay=120s
VpnEssenFlorstadt:   local:  [xxx.xxx.xxx.178] uses pre-shared key authentication
VpnEssenFlorstadt:   remote: [xxx.xxx.xxx.238] uses pre-shared key authentication
VpnEssenFlorstadt:   child:  192.168.241.0/24 === 10.4.34.0/24 TUNNEL, dpdaction=restart
Security Associations (2 up, 0 connecting):
VpnEssenFlorstadt[360]: ESTABLISHED 2 hours ago, xxx.xxx.xxx.178[xxx.xxx.xxx.178]...xxx.xxx.xxx.238[xxx.xxx.xxx.238]
VpnEssenFlorstadt[360]: IKEv2 SPIs: 1672e20e09f964cb_i* c81d2964432ed277_r, pre-shared key reauthentication in 4 hours
VpnEssenFlorstadt[360]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
VpnEssenFlorstadt{268}:  INSTALLED, TUNNEL, ESP SPIs: c549f584_i c6cfde80_o, IPCOMP CPIs: 881a_i 1edf_o
VpnEssenFlorstadt{268}:  AES_CBC_128/HMAC_SHA1_96, 41636 bytes_i (481 pkts, 5s ago), 40516 bytes_o (481 pkts, 5s ago), rekeying in 3 seconds
VpnEssenFlorstadt{268}:   192.168.241.0/24 === 10.4.34.0/24
VpnEssenLimburg[359]: ESTABLISHED 3 hours ago, xxx.xxx.xxx.178[xxx.xxx.xxx.178]...xxx.xxx.xxx.211[xxx.xxx.xxx.211]
VpnEssenLimburg[359]: IKEv2 SPIs: 482ada766f1f01ff_i* 199b67e53b708df5_r, pre-shared key reauthentication in 4 hours
VpnEssenLimburg[359]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
VpnEssenLimburg{274}:  INSTALLED, TUNNEL, ESP SPIs: c388a508_i cf4bd6ea_o, IPCOMP CPIs: a212_i 72f0_o
VpnEssenLimburg{274}:  AES_CBC_128/HMAC_SHA1_96, 6468 bytes_i (77 pkts, 3s ago), 31122 bytes_o (378 pkts, 1s ago), rekeying in 44 minutes
VpnEssenLimburg{274}:   192.168.241.0/24 === 10.3.34.0/24


IPsec status in Frankfurt before connection lost
------------------------------------------------
Time: 2015-02-12 00:01:01
Status of IKE charon daemon (strongSwan 5.2.0, Linux 3.10.44-ipfire, i686):
  uptime: 33 days, since Jan 09 16:23:56 2015
  malloc: sbrk 345328, mmap 0, used 202784, free 142544
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 12
  loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-noauth dhcp
Listening IP addresses:
  10.2.34.1
  xxx.xxx.xxx.254
Connections:
VpnFrankfurtFlorstadt:  xxx.xxx.xxx.254...xxx.xxx.xxx.238  IKEv2, dpddelay=120s
VpnFrankfurtFlorstadt:   local:  [xxx.xxx.xxx.254] uses pre-shared key authentication
VpnFrankfurtFlorstadt:   remote: [xxx.xxx.xxx.238] uses pre-shared key authentication
VpnFrankfurtFlorstadt:   child:  10.2.34.0/24 === 10.4.34.0/24 TUNNEL, dpdaction=restart
VpnFrankfurtEssen:  xxx.xxx.xxx.254...xxx.xxx.xxx.178  IKEv2, dpddelay=120s
VpnFrankfurtEssen:   local:  [xxx.xxx.xxx.254] uses pre-shared key authentication
VpnFrankfurtEssen:   remote: [xxx.xxx.xxx.178] uses pre-shared key authentication
VpnFrankfurtEssen:   child:  10.2.34.0/24 === 192.168.241.0/24 TUNNEL, dpdaction=restart
VpnFrankfurtLimburg:  xxx.xxx.xxx.254...xxx.xxx.xxx.211  IKEv2, dpddelay=120s
VpnFrankfurtLimburg:   local:  [xxx.xxx.xxx.254] uses pre-shared key authentication
VpnFrankfurtLimburg:   remote: [xxx.xxx.xxx.211] uses pre-shared key authentication
VpnFrankfurtLimburg:   child:  10.2.34.0/24 === 10.3.34.0/24 TUNNEL, dpdaction=restart
Security Associations (3 up, 0 connecting):
VpnFrankfurtFlorstadt[18795]: ESTABLISHED 115 minutes ago, xxx.xxx.xxx.254[xxx.xxx.xxx.254]...xxx.xxx.xxx.238[xxx.xxx.xxx.238]
VpnFrankfurtFlorstadt[18795]: IKEv2 SPIs: 9d6b7a3d18dcd3a7_i* 90e8d8608bc9f5ec_r, pre-shared key reauthentication in 5 hours
VpnFrankfurtFlorstadt[18795]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
VpnFrankfurtFlorstadt{283}:  INSTALLED, TUNNEL, ESP SPIs: c6ad6d82_i cf0abe45_o, IPCOMP CPIs: 44d9_i 568f_o
VpnFrankfurtFlorstadt{283}:  AES_CBC_128/HMAC_SHA1_96, 194585 bytes_i (514 pkts, 25s ago), 200851 bytes_o (522 pkts, 26s ago), rekeying in 24 minutes
VpnFrankfurtFlorstadt{283}:   10.2.34.0/24 === 10.4.34.0/24
VpnFrankfurtLimburg[18794]: ESTABLISHED 118 minutes ago, xxx.xxx.xxx.254[xxx.xxx.xxx.254]...xxx.xxx.xxx.211[xxx.xxx.xxx.211]
VpnFrankfurtLimburg[18794]: IKEv2 SPIs: 401e534f568aa1a1_i* 731d9c46a3f89393_r, pre-shared key reauthentication in 5 hours
VpnFrankfurtLimburg[18794]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
VpnFrankfurtLimburg{289}:  INSTALLED, TUNNEL, ESP SPIs: cdcc9c20_i cc957ba1_o, IPCOMP CPIs: c072_i 2873_o
VpnFrankfurtLimburg{289}:  AES_CBC_128/HMAC_SHA1_96, 144112 bytes_i (376 pkts, 9s ago), 145595 bytes_o (384 pkts, 9s ago), rekeying in 21 minutes
VpnFrankfurtLimburg{289}:   10.2.34.0/24 === 10.3.34.0/24
VpnFrankfurtEssen[18793]: ESTABLISHED 3 hours ago, xxx.xxx.xxx.254[xxx.xxx.xxx.254]...xxx.xxx.xxx.178[xxx.xxx.xxx.178]
VpnFrankfurtEssen[18793]: IKEv2 SPIs: 860cc9d8fb9eb58f_i* 9dfc6304cfe9da7e_r, pre-shared key reauthentication in 4 hours
VpnFrankfurtEssen[18793]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
VpnFrankfurtEssen{278}:  INSTALLED, TUNNEL, ESP SPIs: c65836f7_i c3934b0a_o, IPCOMP CPIs: 98d8_i ad25_o
VpnFrankfurtEssen{278}:  AES_CBC_128/HMAC_SHA1_96, 225184 bytes_i (1450 pkts, 1s ago), 132672 bytes_o (1403 pkts, 1s ago), rekeying in 61 minutes
VpnFrankfurtEssen{278}:   10.2.34.0/24 === 192.168.241.0/24


IPsec status in Frankfurt after connection lost + updown script
---------------------------------------------------------------
Time: 2015-02-12 01:01:01
Status of IKE charon daemon (strongSwan 5.2.0, Linux 3.10.44-ipfire, i686):
  uptime: 33 days, since Jan 09 16:23:56 2015
  malloc: sbrk 345328, mmap 0, used 184640, free 160688
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 33
  loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-noauth dhcp
Listening IP addresses:
  10.2.34.1
  xxx.xxx.xxx.254
Connections:
VpnFrankfurtFlorstadt:  xxx.xxx.xxx.254...xxx.xxx.xxx.238  IKEv2, dpddelay=120s
VpnFrankfurtFlorstadt:   local:  [xxx.xxx.xxx.254] uses pre-shared key authentication
VpnFrankfurtFlorstadt:   remote: [xxx.xxx.xxx.238] uses pre-shared key authentication
VpnFrankfurtFlorstadt:   child:  10.2.34.0/24 === 10.4.34.0/24 TUNNEL, dpdaction=restart
VpnFrankfurtEssen:  xxx.xxx.xxx.254...xxx.xxx.xxx.178  IKEv2, dpddelay=120s
VpnFrankfurtEssen:   local:  [xxx.xxx.xxx.254] uses pre-shared key authentication
VpnFrankfurtEssen:   remote: [xxx.xxx.xxx.178] uses pre-shared key authentication
VpnFrankfurtEssen:   child:  10.2.34.0/24 === 192.168.241.0/24 TUNNEL, dpdaction=restart
VpnFrankfurtLimburg:  xxx.xxx.xxx.254...xxx.xxx.xxx.211  IKEv2, dpddelay=120s
VpnFrankfurtLimburg:   local:  [xxx.xxx.xxx.254] uses pre-shared key authentication
VpnFrankfurtLimburg:   remote: [xxx.xxx.xxx.211] uses pre-shared key authentication
VpnFrankfurtLimburg:   child:  10.2.34.0/24 === 10.3.34.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
VpnFrankfurtFlorstadt[18804]: ESTABLISHED 18 minutes ago, xxx.xxx.xxx.254[xxx.xxx.xxx.254]...xxx.xxx.xxx.238[xxx.xxx.xxx.238]
VpnFrankfurtFlorstadt[18804]: IKEv2 SPIs: d98ed3c7efdf3ec6_i 18608cc0abfb5437_r*, pre-shared key reauthentication in 7 hours
VpnFrankfurtFlorstadt[18804]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048


Does anybody have any idea why this could happen? Any help is greatly appreciated.


Kind regards
Andreas Braun



-----Ursprüngliche Nachricht-----
Von: Martin Willi [mailto:martin at strongswan.org]
Gesendet: Dienstag, 20. Januar 2015 15:24
An: andreas.braun at bagus.de
Cc: users at lists.strongswan.org
Betreff: Re: [strongSwan] Problem with rekey collisions


Hi Andreas,

> Now my problem is that tunnels between devices break every few days. The log
> states that strongSwan detects a CHILD_REKEY collision, then it resolves the
> collision, but no traffic is going through.

> I noticed that after a rekey collision, some iptables rules were gone. I
> still have to verify this in the production system.

Most likely we falsely invoke the updown script with a "down" event for
that rekey collision, as that CHILD_SA gets deleted (but actually is
still up with the "winning" instance). Probably we can fix that, but I
don't know how trivial it is.

> RETURN     all  --  10.1.34.0/24         10.2.34.0/24         policy match dir in pol ipsec reqid 1 proto 50
> MARK       all  --  10.2.34.0/24         10.1.34.0/24         policy match dir out pol ipsec reqid 1 proto 50 MARK set 0x32

Seems that there are some complex firewall rules involved, not sure if
that is provided by your IPFire distribution or if these are your custom
rules.

As a work-around, you could consider using static policy matching IPsec
rules (not for specific subnets) instead of those installed with updown.
But I really don't know if that works for your specific rules.

> 1.) Is there any way to check wether rekey time randomization really works
> as it should?

Given that they are triggered randomly, I'd guess that works as
expected/configured.

> 2.) Could you tell me why I am getting CHILD_REKEY collisions every few
> days? Is that to be expected?

Depends on your rekey configuration, latencies etc. Not unlikely that
these can happen, especially if you rekey every 40 minutes. You might
consider adjusting your rekey interval, margin and fuzz to reduce
collision probability.

Also you can use a shorter rekey time on one end, so rekeying is
guaranteed to get initiated by the same end only. This should make it
impossible that a collision happens if the options are chosen
carefully. 

> 3.) Any idea why the iptables rules get changed after rekey collision?

As said, most likely because we invoke that updown hook once too often
in that specific collision case.

Regards
Martin



More information about the Users mailing list