[strongSwan] Site-to-Site with Cisco devices
Tom Rymes
trymes at rymes.com
Sun Nov 29 04:24:01 CET 2015
On Nov 28, 2015, at 1:58 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
> Hello Tom,
>
> Provide logs and configuration details, so we can aid you in debuggin it.
> We can't help you without detailed information.
> It's probably a configuration problem.
Thanks, Neil. For the record, I am using Cisco Configuration Professional Express 3.2, which is a web interface. I’m not certain that I will end up using that interface, but it’s what I am testing now. I did experience this issue before when trying to connect with a Software vendor’s Cisco ASA.
OK, I have set up another test connection. One thing I noticed right away is that I can get the tunnel up, but I cannot get traffic to flow (that might be a firewall issue on the cisco end). However, “ipsec status” shows this. I have no idea why there are three child SAs after only two minutes:
ciscotest[218]: ESTABLISHED 2 minutes ago, 75.144.180.161[75.144.180.161]...70.90.104.189[70.90.104.189]
ciscotest{972}: INSTALLED, TUNNEL, reqid 57, ESP SPIs: cd9d4ba9_i 927d8324_o
ciscotest{972}: 10.2.0.0/16 === 10.10.10.0/24
ciscotest{973}: INSTALLED, TUNNEL, reqid 57, ESP SPIs: c54b639d_i ca4c6022_o
ciscotest{973}: 10.2.0.0/16 === 10.10.10.0/24
ciscotest{974}: INSTALLED, TUNNEL, reqid 57, ESP SPIs: c81b266c_i b563d7f6_o
ciscotest{974}: 10.2.0.0/16 === 10.10.10.0/24
The Strongswan config looks like this:
version 2
conn %default
keyingtries=%forever
include /etc/ipsec.user.conf
conn Data
left=ip.add.res.s1
leftsubnet=10.2.0.0/16
leftfirewall=yes
lefthostaccess=yes
right=ip.add.res.s2
rightsubnet=10.100.0.0/23
leftcert=/var/ipfire/certs/hostcert.pem
rightcert=/var/ipfire/certs/Datacert.pem
leftid="@lefthost"
rightid="@righthost"
ike=aes256-sha2_256-ecp512bp,aes256-sha2_256-ecp384bp,aes256-sha2_256-ecp256bp,aes256-sha2_256-ecp224bp,aes192-sha2_256-ecp512bp,aes192-sha2_256-ecp384bp,aes192-sha2_256-ecp256bp,aes192-sha2_256-ecp224bp,aes128-sha2_256-ecp512bp,aes128-sha2_256-ecp384bp,aes128-sha2_256-ecp256bp,aes128-sha2_256-ecp224bp
esp=aes256-sha2_256-ecp512bp,aes256-sha2_256-ecp384bp,aes256-sha2_256-ecp256bp,aes256-sha2_256-ecp224bp,aes192-sha2_256-ecp512bp,aes192-sha2_256-ecp384bp,aes192-sha2_256-ecp256bp,aes192-sha2_256-ecp224bp,aes128-sha2_256-ecp512bp,aes128-sha2_256-ecp384bp,aes128-sha2_256-ecp256bp,aes128-sha2_256-ecp224bp
keyexchange=ikev2
ikelifetime=8h
keylife=1h
compress=yes
dpdaction=restart
dpddelay=30
dpdtimeout=120
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
auto=start
fragmentation=yes
conn ciscotest
left=ip.add.res.s1
leftsubnet=10.2.0.0/16
leftfirewall=yes
lefthostaccess=yes
right=ip.add.res.s3
rightsubnet=10.10.10.0/24
ike=aes256-sha2_512-modp1536,aes256-sha2_512-modp1024,aes256-sha2_384-modp1536,aes256-sha2_384-modp1024,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha-modp1536,aes256-sha-modp1024,aes256-md5-modp1536,aes256-md5-modp1024,aes192-sha2_512-modp1536,aes192-sha2_512-modp1024,aes192-sha2_384-modp1536,aes192-sha2_384-modp1024,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha-modp1536,aes192-sha-modp1024,aes192-md5-modp1536,aes192-md5-modp1024,aes128-sha2_512-modp1536,aes128-sha2_512-modp1024,aes128-sha2_384-modp1536,aes128-sha2_384-modp1024,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024
esp=aes256-sha2_512-modp1536,aes256-sha2_512-modp1024,aes256-sha2_384-modp1536,aes256-sha2_384-modp1024,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-md5-modp1536,aes256-md5-modp1024,aes192-sha2_512-modp1536,aes192-sha2_512-modp1024,aes192-sha2_384-modp1536,aes192-sha2_384-modp1024,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha1-modp1536,aes192-sha1-modp1024,aes192-md5-modp1536,aes192-md5-modp1024,aes128-sha2_512-modp1536,aes128-sha2_512-modp1024,aes128-sha2_384-modp1536,aes128-sha2_384-modp1024,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024
keyexchange=ikev2
ikelifetime=3h
keylife=1h
compress=yes
dpdaction=restart
dpddelay=30
dpdtimeout=120
authby=secret
auto=start
fragmentation=yes
conn NumberThree
left=ip.add.res.s1
leftsubnet=10.2.0.0/16
leftfirewall=yes
lefthostaccess=yes
right=ip.add.res.s4
rightsubnet=192.168.0.0/21
leftcert=/var/ipfire/certs/hostcert.pem
rightcert=/var/ipfire/certs/NumberThreecert.pem
leftid="@lefthost"
rightid="@righthost2"
ike=aes256gcm128-sha2_512-ecp512bp,aes256gcm128-sha2_512-ecp384bp,aes256gcm128-sha2_512-ecp256bp,aes256gcm128-sha2_512-ecp224bp,aes256gcm128-sha2_256-ecp512bp,aes256gcm128-sha2_256-ecp384bp,aes256gcm128-sha2_256-ecp256bp,aes256gcm128-sha2_256-ecp224bp,aes256gcm96-sha2_512-ecp512bp,aes256gcm96-sha2_512-ecp384bp,aes256gcm96-sha2_512-ecp256bp,aes256gcm96-sha2_512-ecp224bp,aes256gcm96-sha2_256-ecp512bp,aes256gcm96-sha2_256-ecp384bp,aes256gcm96-sha2_256-ecp256bp,aes256gcm96-sha2_256-ecp224bp,aes256gcm64-sha2_512-ecp512bp,aes256gcm64-sha2_512-ecp384bp,aes256gcm64-sha2_512-ecp256bp,aes256gcm64-sha2_512-ecp224bp,aes256gcm64-sha2_256-ecp512bp,aes256gcm64-sha2_256-ecp384bp,aes256gcm64-sha2_256-ecp256bp,aes256gcm64-sha2_256-ecp224bp,aes256-sha2_512-ecp512bp,aes256-sha2_512-ecp384bp,aes256-sha2_512-ecp256bp,aes256-sha2_512-ecp224bp,aes256-sha2_256-ecp512bp,aes256-sha2_256-ecp384bp,aes256-sha2_256-ecp256bp,aes256-sha2_256-ecp224bp,aes192gcm128-sha2_512-ecp512bp,aes192gcm128-sha2_512-ecp384bp,aes192gcm128-sha2_512-ecp256bp,aes192gcm128-sha2_512-ecp224bp,aes192gcm128-sha2_256-ecp512bp,aes192gcm128-sha2_256-ecp384bp,aes192gcm128-sha2_256-ecp256bp,aes192gcm128-sha2_256-ecp224bp,aes192gcm96-sha2_512-ecp512bp,aes192gcm96-sha2_512-ecp384bp,aes192gcm96-sha2_512-ecp256bp,aes192gcm96-sha2_512-ecp224bp,aes192gcm96-sha2_256-ecp512bp,aes192gcm96-sha2_256-ecp384bp,aes192gcm96-sha2_256-ecp256bp,aes192gcm96-sha2_256-ecp224bp,aes192gcm64-sha2_512-ecp512bp,aes192gcm64-sha2_512-ecp384bp,aes192gcm64-sha2_512-ecp256bp,aes192gcm64-sha2_512-ecp224bp,aes192gcm64-sha2_256-ecp512bp,aes192gcm64-sha2_256-ecp384bp,aes192gcm64-sha2_256-ecp256bp,aes192gcm64-sha2_256-ecp224bp,aes192-sha2_512-ecp512bp,aes192-sha2_512-ecp384bp,aes192-sha2_512-ecp256bp,aes192-sha2_512-ecp224bp,aes192-sha2_256-ecp512bp,aes192-sha2_256-ecp384bp,aes192-sha2_256-ecp256bp,aes192-sha2_256-ecp224bp
esp=aes256gcm128-ecp512bp,aes256gcm128-ecp384bp,aes256gcm128-ecp256bp,aes256gcm128-ecp224bp,aes256gcm96-ecp512bp,aes256gcm96-ecp384bp,aes256gcm96-ecp256bp,aes256gcm96-ecp224bp,aes256gcm64-ecp512bp,aes256gcm64-ecp384bp,aes256gcm64-ecp256bp,aes256gcm64-ecp224bp,aes256-sha2_512-ecp512bp,aes256-sha2_512-ecp384bp,aes256-sha2_512-ecp256bp,aes256-sha2_512-ecp224bp,aes256-sha2_256-ecp512bp,aes256-sha2_256-ecp384bp,aes256-sha2_256-ecp256bp,aes256-sha2_256-ecp224bp,aes192gcm128-ecp512bp,aes192gcm128-ecp384bp,aes192gcm128-ecp256bp,aes192gcm128-ecp224bp,aes192gcm96-ecp512bp,aes192gcm96-ecp384bp,aes192gcm96-ecp256bp,aes192gcm96-ecp224bp,aes192gcm64-ecp512bp,aes192gcm64-ecp384bp,aes192gcm64-ecp256bp,aes192gcm64-ecp224bp,aes192-sha2_512-ecp512bp,aes192-sha2_512-ecp384bp,aes192-sha2_512-ecp256bp,aes192-sha2_512-ecp224bp,aes192-sha2_256-ecp512bp,aes192-sha2_256-ecp384bp,aes192-sha2_256-ecp256bp,aes192-sha2_256-ecp224bp
keyexchange=ikev2
ikelifetime=3h
keylife=1h
compress=yes
dpdaction=restart
dpddelay=30
dpdtimeout=120
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
auto=start
fragmentation=yes
————————————————————————————————————————————
From there, the cisco config looks like this (it’s the whole thing):
! Last configuration change at 21:19:07 GMT Sat Nov 28 2015 by admin
! NVRAM config last updated at 21:19:02 GMT Sat Nov 28 2015 by admin
!
version 15.5
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname myrouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
aaa authorization network local-group-author-list local
!
aaa session-id common
ethernet lmi ce
memory-size iomem 10
clock timezone GMT -5 0
!
crypto pki trustpoint TP-self-signed-340
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-340
revocation-check none
rsakeypair TP-self-signed-340
!
!
crypto pki certificate chain TP-self-signed-340
certificate self-signed 01
[SNIP]
quit
!
ip nbar http-services
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
dns-server 75.75.75.75 75.75.76.76
lease 0 2
!
ip domain name mydomain.dom
ip name-server 75.75.75.75
ip name-server 75.75.76.76
ip cef
no ipv6 cef
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
!
multilink bundle-name authenticated
license udi pid CISCO881-K9 sn 1234567890
license boot module c880-data level advipservices
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network Others_dst_net
any
!
object-group network Others_src_net
any
!
object-group service Others_svc
ip
!
object-group network Web_dst_net
any
!
object-group network Web_src_net
any
!
object-group service Web_svc
ip
!
object-group network allowall_dst_net
any
!
object-group network allowall_src_net
any
!
object-group service allowall_svc
ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
10.10.10.0 255.255.255.128
!
object-group network vpn_remote_subnets
10.2.0.0 255.255.0.0
!
username admin privilege 15 secret 5 myencryptedpassword
!
crypto ikev2 authorization policy authpolicy1
route set interface Vlan1
!
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256 sha1 md5
group 5 2
!
crypto ikev2 policy default
match fvrf any
proposal default
!
crypto ikev2 keyring key
peer SITE-KEY
address ip.add.res.s1
identity address ip.add.res.s1
pre-shared-key MyPaSsWoRd
!
crypto ikev2 profile prof
match identity remote address ip.add.res.s1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local key
aaa authorization group psk list local-group-author-list authpolicy1
!
crypto ikev2 dpd 10 2 periodic
!
no cdp run
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-any Others_app
match protocol https
match protocol smtp
match protocol pop3
match protocol imap
match protocol sip
match protocol ftp
match protocol dns
match protocol icmp
class-map type inspect match-all allowall
description Allow All Traffic
match access-group name allowall_acl
class-map type inspect match-any Web_app
match protocol http
class-map type inspect match-all Others
match class-map Others_app
match access-group name Others_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect LAN-WAN-POLICY
class type inspect allowall
inspect
class type inspect Web
inspect
class type inspect Others
inspect
class type inspect INTERNAL_DOMAIN_FILTER
inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
!
crypto ipsec transform-set test_trans esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile test_profile
set transform-set test_trans
set ikev2-profile prof
!
interface Tunnel0
ip address 10.10.10.1 255.255.255.0
zone-member security VPN
tunnel source FastEthernet4
tunnel mode ipsec ipv4
tunnel destination ip.add.res.s1
tunnel protection ipsec profile test_profile
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description PrimaryWANDesc_
ip address ip.add.res.s4 255.255.255.252
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
zone-member security WAN
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.248
ip nbar protocol-discovery
ip flow monitor application-mon input
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security LAN
ip tcp adjust-mss 1452
load-interval 30
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list nat-list interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 ip.add.res.s4
!
ip access-list extended INTRANET-WHITELIST
permit ip any 10.2.0.0 0.0.255.255
ip access-list extended Others_acl
permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
ip access-list extended allowall_acl
permit object-group allowall_svc object-group allowall_src_net object-group allowall_dst_net
ip access-list extended nat-list
deny ip object-group local_lan_subnets object-group vpn_remote_subnets
permit ip object-group local_lan_subnets any
deny ip any any
!
!
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
!
control-plane
!
!
banner exec �
% Password expiration warning.
-----------------------------------------------------------------------
[SNIP]
-----------------------------------------------------------------------
�
banner login �
-----------------------------------------------------------------------
[SNIP]
-----------------------------------------------------------------------
�
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
ntp master
ntp server 0.north-america.pool.ntp.org
!
end
———————————————————————————————————————————————————————————
Strong swan logs (output to the kernel log)
Nov 28 21:35:07 site1 charon: 05[NET] received packet: from ip.add.res.s3[500] to ip.add.res.s1[500] (508 bytes)
Nov 28 21:35:07 site1 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) ]
Nov 28 21:35:07 site1 charon: 05[IKE] received Cisco Delete Reason vendor ID
Nov 28 21:35:07 site1 charon: 05[ENC] received unknown vendor ID: 46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44
Nov 28 21:35:08 site1 charon: 05[IKE] ip.add.res.s3 is initiating an IKE_SA
Nov 28 21:35:08 site1 charon: 05[IKE] ip.add.res.s3 is initiating an IKE_SA
Nov 28 21:35:08 site1 charon: 05[IKE] sending cert request for "C=US, ST=ZZ, L=site1, O=myco, OU=Engineering Dept, CN=myco CA, E=tomr at myco.com"
Nov 28 21:35:08 site1 charon: 05[IKE] sending cert request for "C=US, ST=ZZ, L=site2, O=myco, OU=Engineering Dept, CN=myco CA, E=tomr at myco.com"
Nov 28 21:35:08 site1 charon: 05[IKE] sending cert request for "C=US, ST=ZZ, L=site3, O=myco, OU=Engineering Dept, CN=myco CA, E=tomr at myco.com"
Nov 28 21:35:08 site1 charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 28 21:35:08 site1 charon: 05[NET] sending packet: from ip.add.res.s1[500] to ip.add.res.s3[500] (441 bytes)
Nov 28 21:35:08 site1 charon: 16[NET] received packet: from ip.add.res.s3[500] to ip.add.res.s1[500] (624 bytes)
Nov 28 21:35:09 site1 charon: 16[ENC] unknown attribute type (28692)
Nov 28 21:35:09 site1 charon: 16[ENC] parsed IKE_AUTH request 1 [ V IDi AUTH CPRQ(DNS DNS NBNS NBNS SUBNET DNS6 SUBNET6 VER U_SPLITDNS U_BANNER (28692) U_BKPSRV U_DEFDOM) SA TSi T
Sr N(INIT_CONTACT) N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Nov 28 21:35:09 site1 charon: 16[CFG] looking for peer configs matching ip.add.res.s1[%any]...ip.add.res.s3[ip.add.res.s3]
Nov 28 21:35:09 site1 charon: 16[CFG] selected peer config 'ciscotest'
Nov 28 21:35:09 site1 charon: 16[IKE] tried 1 shared key for '%any' - 'ip.add.res.s3', but MAC mismatched
Nov 28 21:35:09 site1 charon: 16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 28 21:35:10 site1 charon: 16[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 28 21:35:10 site1 charon: 16[NET] sending packet: from ip.add.res.s1[500] to ip.add.res.s3[500] (96 bytes)
Nov 28 21:35:16 site1 charon: 01[NET] received packet: from ip.add.res.s3[500] to ip.add.res.s1[500] (508 bytes)
Nov 28 21:35:16 site1 charon: 01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) ]
Nov 28 21:35:16 site1 charon: 01[IKE] received Cisco Delete Reason vendor ID
Nov 28 21:35:16 site1 charon: 01[ENC] received unknown vendor ID: 46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44
Nov 28 21:35:16 site1 charon: 01[IKE] ip.add.res.s3 is initiating an IKE_SA
Nov 28 21:35:16 site1 charon: 01[IKE] ip.add.res.s3 is initiating an IKE_SA
Nov 28 21:35:16 site1 charon: 01[IKE] sending cert request for "C=US, ST=ZZ, L=site1, O=myco, OU=Engineering Dept, CN=myco CA, E=tomr at myco.com"
Nov 28 21:35:17 site1 charon: 01[IKE] sending cert request for "C=US, ST=ZZ, L=site2, O=myco, OU=Engineering Dept, CN=myco CA, E=tomr at myco.com"
Nov 28 21:35:17 site1 charon: 01[IKE] sending cert request for "C=US, ST=ZZ, L=site3, O=myco, OU=Engineering Dept, CN=myco CA, E=tomr at myco.com"
Nov 28 21:35:17 site1 charon: 01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 28 21:35:17 site1 charon: 01[NET] sending packet: from ip.add.res.s1[500] to ip.add.res.s3[500] (441 bytes)
Nov 28 21:35:17 site1 charon: 06[NET] received packet: from ip.add.res.s3[500] to ip.add.res.s1[500] (624 bytes)
Nov 28 21:35:17 site1 charon: 06[ENC] unknown attribute type (28692)
Nov 28 21:35:17 site1 charon: 06[ENC] parsed IKE_AUTH request 1 [ V IDi AUTH CPRQ(DNS DNS NBNS NBNS SUBNET DNS6 SUBNET6 VER U_SPLITDNS U_BANNER (28692) U_BKPSRV U_DEFDOM) SA TSi T
Sr N(INIT_CONTACT) N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Nov 28 21:35:18 site1 charon: 06[CFG] looking for peer configs matching ip.add.res.s1[%any]...ip.add.res.s3[ip.add.res.s3]
Nov 28 21:35:18 site1 charon: 06[CFG] selected peer config 'ciscotest'
Nov 28 21:35:18 site1 charon: 06[IKE] authentication of 'ip.add.res.s3' with pre-shared key successful
Nov 28 21:35:18 site1 charon: 06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 28 21:35:18 site1 charon: 06[IKE] authentication of 'ip.add.res.s1' (myself) with pre-shared key
Nov 28 21:35:18 site1 charon: 06[IKE] IKE_SA ciscotest[218] established between ip.add.res.s1[ip.add.res.s1]...ip.add.res.s3[ip.add.res.s3]
Nov 28 21:35:18 site1 charon: 06[IKE] IKE_SA ciscotest[218] established between ip.add.res.s1[ip.add.res.s1]...ip.add.res.s3[ip.add.res.s3]
Nov 28 21:35:18 site1 charon: 06[IKE] scheduling reauthentication in 9901s
Nov 28 21:35:19 site1 charon: 06[IKE] maximum IKE_SA lifetime 10441s
Nov 28 21:35:19 site1 charon: 06[IKE] CHILD_SA ciscotest{972} established with SPIs cd9d4ba9_i 927d8324_o and TS 10.2.0.0/16 === 10.10.10.0/24
Nov 28 21:35:19 site1 charon: 06[IKE] CHILD_SA ciscotest{972} established with SPIs cd9d4ba9_i 927d8324_o and TS 10.2.0.0/16 === 10.10.10.0/24
Nov 28 21:35:19 site1 vpn: client+ ip.add.res.s3 10.10.10.0/24 == ip.add.res.s3 -- ip.add.res.s1 == 10.2.0.0/16
Nov 28 21:35:19 site1 vpn: tunnel+ ip.add.res.s3 -- ip.add.res.s1
Nov 28 21:35:19 site1 vpn: snat+ red0-ip.add.res.s1 : 10.10.10.0/24 - 10.2.0.1
Nov 28 21:35:19 site1 charon: 06[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
Nov 28 21:35:20 site1 charon: 06[NET] sending packet: from ip.add.res.s1[500] to ip.add.res.s3[500] (272 bytes)
Nov 28 21:35:20 site1 charon: 03[MGR] ignoring request with ID 1, already processing
Nov 28 21:35:20 site1 charon: 04[NET] received packet: from ip.add.res.s3[500] to ip.add.res.s1[500] (112 bytes)
Nov 28 21:35:20 site1 charon: 04[ENC] parsed INFORMATIONAL request 2 [ CPS(SUBNET) ]
Nov 28 21:35:20 site1 charon: 04[ENC] generating INFORMATIONAL response 2 [ ]
Nov 28 21:35:20 site1 charon: 04[NET] sending packet: from ip.add.res.s1[500] to ip.add.res.s3[500] (96 bytes)
Nov 28 21:35:28 site1 charon: 14[NET] received packet: from ip.add.res.s3[500] to ip.add.res.s1[500] (96 bytes)
Nov 28 21:35:28 site1 charon: 14[ENC] parsed INFORMATIONAL request 3 [ ]
Nov 28 21:35:28 site1 charon: 14[ENC] generating INFORMATIONAL response 3 [ ]
Nov 28 21:35:29 site1 charon: 14[NET] sending packet: from ip.add.res.s1[500] to ip.add.res.s3[500] (96 bytes)
Nov 28 21:35:38 site1 charon: 15[NET] received packet: from ip.add.res.s3[500] to ip.add.res.s1[500] (96 bytes)
Nov 28 21:35:38 site1 charon: 15[ENC] parsed INFORMATIONAL request 4 [ ]
Nov 28 21:35:39 site1 charon: 15[ENC] generating INFORMATIONAL response 4 [ ]
Nov 28 21:35:39 site1 charon: 15[NET] sending packet: from ip.add.res.s1[500] to ip.add.res.s3[500] (96 bytes)
Nov 28 21:35:48 site1 charon: 14[NET] received packet: from ip.add.res.s3[500] to ip.add.res.s1[500] (96 bytes)
Nov 28 21:35:48 site1 charon: 14[ENC] parsed INFORMATIONAL request 5 [ ]
Nov 28 21:35:49 site1 charon: 14[ENC] generating INFORMATIONAL response 5 [ ]
Nov 28 21:35:49 site1 charon: 14[NET] sending packet: from ip.add.res.s1[500] to ip.add.res.s3[500] (96 bytes)
Nov 28 21:35:58 site1 charon: 16[NET] received packet: from ip.add.res.s3[500] to ip.add.res.s1[500] (96 bytes)
Nov 28 21:35:58 site1 charon: 16[ENC] parsed INFORMATIONAL request 6 [ ]
Nov 28 21:35:59 site1 charon: 16[ENC] generating INFORMATIONAL response 6 [ ]
Nov 28 21:35:59 site1 charon: 16[NET] sending packet: from ip.add.res.s1[500] to ip.add.res.s3[500] (96 bytes)
Nov 28 21:36:08 site1 charon: 15[NET] received packet: from ip.add.res.s3[500] to ip.add.res.s1[500] (96 bytes)
Nov 28 21:36:09 site1 charon: 15[ENC] parsed INFORMATIONAL request 7 [ ]
Nov 28 21:36:09 site1 charon: 15[ENC] generating INFORMATIONAL response 7 [ ]
Nov 28 21:36:09 site1 charon: 15[NET] sending packet: from ip.add.res.s1[500] to ip.add.res.s3[500] (96 bytes)
Nov 28 21:36:16 site1 charon: 04[NET] received packet: from ip.add.res.s3[500] to ip.add.res.s1[500] (224 bytes)
Nov 28 21:36:16 site1 charon: 04[ENC] parsed CREATE_CHILD_SA request 8 [ SA No TSi TSr ]
Nov 28 21:36:17 site1 charon: 04[IKE] CHILD_SA ciscotest{973} established with SPIs c54b639d_i ca4c6022_o and TS 10.2.0.0/16 === 10.10.10.0/24
Nov 28 21:36:17 site1 charon: 04[IKE] CHILD_SA ciscotest{973} established with SPIs c54b639d_i ca4c6022_o and TS 10.2.0.0/16 === 10.10.10.0/24
Nov 28 21:36:17 site1 vpn: client+ ip.add.res.s3 10.10.10.0/24 == ip.add.res.s3 -- ip.add.res.s1 == 10.2.0.0/16
Nov 28 21:36:17 site1 vpn: tunnel+ ip.add.res.s3 -- ip.add.res.s1
Nov 28 21:36:17 site1 vpn: snat+ red0-ip.add.res.s1 : 10.10.10.0/24 - 10.2.0.1
Nov 28 21:36:17 site1 charon: 04[ENC] generating CREATE_CHILD_SA response 8 [ SA No TSi TSr ]
Nov 28 21:36:17 site1 charon: 04[NET] sending packet: from ip.add.res.s1[500] to ip.add.res.s3[500] (224 bytes)
Nov 28 21:36:18 site1 charon: 11[NET] received packet: from ip.add.res.s3[500] to ip.add.res.s1[500] (96 bytes)
Nov 28 21:36:19 site1 charon: 11[ENC] parsed INFORMATIONAL request 9 [ ]
Nov 28 21:36:19 site1 charon: 11[ENC] generating INFORMATIONAL response 9 [ ]
Nov 28 21:36:19 site1 charon: 11[NET] sending packet: from ip.add.res.s1[500] to ip.add.res.s3[500] (96 bytes)
Nov 28 21:36:28 site1 charon: 13[NET] received packet: from ip.add.res.s3[500] to ip.add.res.s1[500] (96 bytes)
Nov 28 21:36:29 site1 charon: 13[ENC] parsed INFORMATIONAL request 10 [ ]
Nov 28 21:36:29 site1 charon: 13[ENC] generating INFORMATIONAL response 10 [ ]
Nov 28 21:36:29 site1 charon: 13[NET] sending packet: from ip.add.res.s1[500] to ip.add.res.s3[500] (96 bytes)
Nov 28 21:36:38 site1 charon: 03[NET] received packet: from ip.add.res.s3[500] to ip.add.res.s1[500] (96 bytes)
Nov 28 21:36:39 site1 charon: 03[ENC] parsed INFORMATIONAL request 11 [ ]
Nov 28 21:36:39 site1 charon: 03[ENC] generating INFORMATIONAL response 11 [ ]
Nov 28 21:36:39 site1 charon: 03[NET] sending packet: from ip.add.res.s1[500] to ip.add.res.s3[500] (96 bytes)
Nov 28 21:36:48 site1 charon: 11[NET] received packet: from ip.add.res.s3[500] to ip.add.res.s1[500] (96 bytes)
Nov 28 21:36:49 site1 charon: 11[ENC] parsed INFORMATIONAL request 12 [ ]
Nov 28 21:36:49 site1 charon: 11[ENC] generating INFORMATIONAL response 12 [ ]
Nov 28 21:36:49 site1 charon: 11[NET] sending packet: from ip.add.res.s1[500] to ip.add.res.s3[500] (96 bytes)
Nov 28 21:36:58 site1 charon: 16[NET] received packet: from ip.add.res.s3[500] to ip.add.res.s1[500] (96 bytes)
Nov 28 21:36:59 site1 charon: 16[ENC] parsed INFORMATIONAL request 13 [ ]
Nov 28 21:36:59 site1 charon: 16[ENC] generating INFORMATIONAL response 13 [ ]
Nov 28 21:37:00 site1 charon: 16[NET] sending packet: from ip.add.res.s1[500] to ip.add.res.s3[500] (96 bytes)
Nov 28 21:37:09 site1 charon: 15[NET] received packet: from ip.add.res.s3[500] to ip.add.res.s1[500] (96 bytes)
Nov 28 21:37:09 site1 charon: 15[ENC] parsed INFORMATIONAL request 14 [ ]
Nov 28 21:37:09 site1 charon: 15[ENC] generating INFORMATIONAL response 14 [ ]
Nov 28 21:37:09 site1 charon: 15[NET] sending packet: from ip.add.res.s1[500] to ip.add.res.s3[500] (96 bytes)
Nov 28 21:37:17 site1 charon: 14[NET] received packet: from ip.add.res.s3[500] to ip.add.res.s1[500] (224 bytes)
Nov 28 21:37:17 site1 charon: 14[ENC] parsed CREATE_CHILD_SA request 15 [ SA No TSi TSr ]
Nov 28 21:37:17 site1 charon: 14[IKE] CHILD_SA ciscotest{974} established with SPIs c81b266c_i b563d7f6_o and TS 10.2.0.0/16 === 10.10.10.0/24
Nov 28 21:37:17 site1 charon: 14[IKE] CHILD_SA ciscotest{974} established with SPIs c81b266c_i b563d7f6_o and TS 10.2.0.0/16 === 10.10.10.0/24
Nov 28 21:37:17 site1 vpn: client+ ip.add.res.s3 10.10.10.0/24 == ip.add.res.s3 -- ip.add.res.s1 == 10.2.0.0/16
Nov 28 21:37:17 site1 vpn: tunnel+ ip.add.res.s3 -- ip.add.res.s1
Nov 28 21:37:18 site1 vpn: snat+ red0-ip.add.res.s1 : 10.10.10.0/24 - 10.2.0.1
More information about the Users
mailing list