[strongSwan] Connection established but no traffic coming for auto=route

abi abi at abinet.ru
Thu Aug 25 09:11:22 CEST 2016 

Hello, 

I have generic road warrior setup with virtual IPs between FreeBSD 10.2
server and FreeBSD 11-RC1 laptop. The issue is if I set client to
start=route connection is established, but no traffic coming through
tunnel (hooks are installed, so it just times outs). The very same
config is working flawlessly with  auto=start 

Client config: 

conn abinet
        keyexchange=ikev2
        authby=pubkey
        left=%any
        leftsourceip=%config
        leftid="xxx"
        leftcert=ipsec-sphinx-cert.pem
        right=xxx
        rightid="xxx"
        rightsubnet=0.0.0.0/0
        ikelifetime = 24h
        rekey=yes
        fragmentation=yes
        lifetime = 60m
        dpdaction=restart
        auto=start <- route here is not working. 

Logs for auto=route (not working tunnel) 

Aug 25 16:31:58 sphinx doas: xxx ran command service strongswan
onerestart as root from /home/xxx
Aug 25 16:31:58 sphinx charon: 00[DMN] signal of type SIGINT received.
Shutting down
Aug 25 16:31:58 sphinx charon: 00[IKE] deleting IKE_SA xxx[1] between
192.168.43.190[C=RU, O=xxx, CN=sphinx.xxx]...xxx[C=RU, O=xxx, CN=xxx]
Aug 25 16:31:58 sphinx charon: 00[IKE] sending DELETE for IKE_SA xxx[1]
Aug 25 16:31:58 sphinx charon: 00[ENC] generating INFORMATIONAL request
2 [ D ]
Aug 25 16:31:58 sphinx charon: 00[NET] sending packet: from
192.168.43.190[4500] to xxx[4500] (76 bytes)
Aug 25 16:31:58 sphinx charon: 00[IKE] removing DNS server 10.0.10.1 via
resolvconf
Aug 25 16:31:58 sphinx charon: 02[KNL] interface tun0 deactivated
Aug 25 16:31:58 sphinx ipsec_starter[8492]: charon stopped after 200 ms
Aug 25 16:31:58 sphinx ipsec_starter[8492]: ipsec starter stopped
Aug 25 16:32:01 sphinx ipsec_starter[53226]: Starting strongSwan 5.5.0
IPsec [starter]...
Aug 25 16:32:01 sphinx ipsec_starter[53226]: no netkey IPsec stack
detected
Aug 25 16:32:01 sphinx ipsec_starter[53226]: no KLIPS IPsec stack
detected
Aug 25 16:32:01 sphinx ipsec_starter[53226]: no known IPsec stack
detected, ignoring!
Aug 25 16:32:01 sphinx charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.5.0, FreeBSD 11.0-RC1, amd64)
Aug 25 16:32:01 sphinx charon: 00[NET] could not open socket: Address
family not supported by protocol family
Aug 25 16:32:01 sphinx charon: 00[NET] could not open IPv6 socket, IPv6
disabled
Aug 25 16:32:01 sphinx charon: 00[CFG] loading ca certificates from
'/usr/local/etc/ipsec.d/cacerts'
Aug 25 16:32:01 sphinx charon: 00[CFG]   loaded ca certificate "C=RU,
O=xxx, CN=xxx CA" from
'/usr/local/etc/ipsec.d/cacerts/ipsec-ca-cert.pem'
Aug 25 16:32:01 sphinx charon: 00[CFG] loading aa certificates from
'/usr/local/etc/ipsec.d/aacerts'
Aug 25 16:32:01 sphinx charon: 00[CFG] loading ocsp signer certificates
from '/usr/local/etc/ipsec.d/ocspcerts'
Aug 25 16:32:01 sphinx charon: 00[CFG] loading attribute certificates
from '/usr/local/etc/ipsec.d/acerts'
Aug 25 16:32:01 sphinx charon: 00[CFG] loading crls from
'/usr/local/etc/ipsec.d/crls'
Aug 25 16:32:01 sphinx charon: 00[CFG] loading secrets from
'/usr/local/etc/ipsec.secrets'
Aug 25 16:32:01 sphinx charon: 00[CFG]   loaded RSA private key from
'/usr/local/etc/ipsec.d/private/ipsec-sphinx-key.pem'
Aug 25 16:32:01 sphinx charon: 00[LIB] loaded plugins: charon aes des
blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints
pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf
xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default
stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls
eap-peap whitelist addrblock
Aug 25 16:32:01 sphinx charon: 00[JOB] spawning 16 worker threads
Aug 25 16:32:01 sphinx ipsec_starter[53281]: charon (53282) started
after 40 ms
Aug 25 16:32:01 sphinx charon: 05[CFG] received stroke: add connection
'xxx'
Aug 25 16:32:01 sphinx charon: 05[CFG]   loaded certificate "C=RU,
O=xxx, CN=sphinx.xxx" from 'ipsec-sphinx-cert.pem'
Aug 25 16:32:01 sphinx charon: 05[CFG] added configuration 'xxx'
Aug 25 16:32:01 sphinx charon: 05[CFG] received stroke: route 'xxx'
Aug 25 16:32:01 sphinx ipsec_starter[53281]: 'xxx' routed
Aug 25 16:32:01 sphinx ipsec_starter[53281]: 
Aug 25 16:32:01 sphinx charon: 14[KNL] creating acquire job for policy
192.168.43.190/32 === xxx/32 with reqid {1}
Aug 25 16:32:01 sphinx charon: 14[IKE] initiating IKE_SA xxx[1] to xxx
Aug 25 16:32:01 sphinx charon: 14[ENC] generating IKE_SA_INIT request 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
N(REDIR_SUP) ]
Aug 25 16:32:01 sphinx charon: 14[NET] sending packet: from
192.168.43.190[500] to xxx[500] (1156 bytes)
Aug 25 16:32:01 sphinx charon: 14[NET] received packet: from xxx[500] to
192.168.43.190[500] (38 bytes)
Aug 25 16:32:01 sphinx charon: 14[ENC] parsed IKE_SA_INIT response 0 [
N(INVAL_KE) ]
Aug 25 16:32:01 sphinx charon: 14[IKE] peer didn't accept DH group
MODP_3072, it requested MODP_2048
Aug 25 16:32:01 sphinx charon: 14[IKE] initiating IKE_SA xxx[1] to xxx
Aug 25 16:32:01 sphinx charon: 14[ENC] generating IKE_SA_INIT request 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
N(REDIR_SUP) ]
Aug 25 16:32:01 sphinx charon: 14[NET] sending packet: from
192.168.43.190[500] to xxx[500] (1028 bytes)
Aug 25 16:32:01 sphinx charon: 14[NET] received packet: from xxx[500] to
192.168.43.190[500] (489 bytes)
Aug 25 16:32:01 sphinx charon: 14[ENC] parsed IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG)
N(MULT_AUTH) ]
Aug 25 16:32:01 sphinx charon: 14[IKE] local host is behind NAT, sending
keep alives
Aug 25 16:32:01 sphinx charon: 14[IKE] received cert request for "C=RU,
O=xxx, CN=xxx CA"
Aug 25 16:32:01 sphinx charon: 14[IKE] sending cert request for "C=RU,
O=xxx, CN=xxx CA"
Aug 25 16:32:01 sphinx charon: 14[IKE] authentication of 'C=RU, O=xxx,
CN=sphinx.xxx' (myself) with RSA_EMSA_PKCS1_SHA256 successful
Aug 25 16:32:01 sphinx charon: 14[IKE] sending end entity cert "C=RU,
O=xxx, CN=sphinx.xxx"
Aug 25 16:32:01 sphinx charon: 14[IKE] establishing CHILD_SA xxx
Aug 25 16:32:01 sphinx charon: 14[ENC] generating IKE_AUTH request 1 [
IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS)
N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH)
N(EAP_ONLY) ]
Aug 25 16:32:01 sphinx charon: 14[ENC] splitting IKE message with length
of 1676 bytes into 4 fragments
Aug 25 16:32:01 sphinx charon: 14[ENC] generating IKE_AUTH request 1 [
EF(1/4) ]
Aug 25 16:32:01 sphinx charon: 14[ENC] generating IKE_AUTH request 1 [
EF(2/4) ]
Aug 25 16:32:01 sphinx charon: 14[ENC] generating IKE_AUTH request 1 [
EF(3/4) ]
Aug 25 16:32:01 sphinx charon: 14[ENC] generating IKE_AUTH request 1 [
EF(4/4) ]
Aug 25 16:32:01 sphinx charon: 14[NET] sending packet: from
192.168.43.190[4500] to xxx[4500] (544 bytes)
Aug 25 16:32:01 sphinx last message repeated 2 times
Aug 25 16:32:01 sphinx charon: 14[NET] sending packet: from
192.168.43.190[4500] to xxx[4500] (240 bytes)
Aug 25 16:32:01 sphinx charon: 14[NET] received packet: from xxx[4500]
to 192.168.43.190[4500] (544 bytes)
Aug 25 16:32:01 sphinx charon: 14[ENC] parsed IKE_AUTH response 1 [
EF(1/3) ]
Aug 25 16:32:01 sphinx charon: 14[ENC] received fragment #1 of 3,
waiting for complete IKE message
Aug 25 16:32:01 sphinx charon: 14[NET] received packet: from xxx[4500]
to 192.168.43.190[4500] (544 bytes)
Aug 25 16:32:01 sphinx charon: 14[ENC] parsed IKE_AUTH response 1 [
EF(2/3) ]
Aug 25 16:32:01 sphinx charon: 14[ENC] received fragment #2 of 3,
waiting for complete IKE message
Aug 25 16:32:01 sphinx charon: 14[NET] received packet: from xxx[4500]
to 192.168.43.190[4500] (416 bytes)
Aug 25 16:32:01 sphinx charon: 14[ENC] parsed IKE_AUTH response 1 [
EF(3/3) ]
Aug 25 16:32:01 sphinx charon: 14[ENC] received fragment #3 of 3,
reassembling fragmented IKE message
Aug 25 16:32:01 sphinx charon: 14[ENC] parsed IKE_AUTH response 1 [ IDr
CERT AUTH CPRP(ADDR DNS) N(ESP_TFC_PAD_N) SA TSi TSr ]
Aug 25 16:32:01 sphinx charon: 14[IKE] received end entity cert "C=RU,
O=xxx, CN=xxx"
Aug 25 16:32:01 sphinx charon: 14[CFG]   using certificate "C=RU, O=xxx,
CN=xxx"
Aug 25 16:32:01 sphinx charon: 14[CFG]   using trusted ca certificate
"C=RU, O=xxx, CN=xxx CA"
Aug 25 16:32:01 sphinx charon: 14[CFG] checking certificate status of
"C=RU, O=xxx, CN=xxx"
Aug 25 16:32:01 sphinx charon: 14[CFG] certificate status is not
available
Aug 25 16:32:01 sphinx charon: 14[CFG]   reached self-signed root ca
with a path length of 0
Aug 25 16:32:01 sphinx charon: 14[IKE] authentication of 'C=RU, O=xxx,
CN=xxx' with RSA_EMSA_PKCS1_SHA256 successful
Aug 25 16:32:01 sphinx charon: 14[IKE] IKE_SA xxx[1] established between
192.168.43.190[C=RU, O=xxx, CN=sphinx.xxx]...xxx[C=RU, O=xxx, CN=xxx]
Aug 25 16:32:01 sphinx charon: 14[IKE] scheduling reauthentication in
85846s
Aug 25 16:32:01 sphinx charon: 14[IKE] maximum IKE_SA lifetime 86386s
Aug 25 16:32:01 sphinx charon: 14[IKE] installing DNS server 10.0.10.1
via resolvconf
Aug 25 16:32:01 sphinx charon: 14[IKE] installing new virtual IP
192.168.2.2
Aug 25 16:32:01 sphinx charon: 14[LIB] created TUN device: tun0
Aug 25 16:32:01 sphinx charon: 05[KNL] interface tun0 appeared
Aug 25 16:32:01 sphinx charon: 05[KNL] interface tun0 activated
Aug 25 16:32:01 sphinx charon: 14[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Aug 25 16:32:01 sphinx charon: 14[IKE] CHILD_SA xxx{2} established with
SPIs c8213cc5_i cf1d9b0b_o and TS 192.168.2.2/32 === 0.0.0.0/0

Internet:
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          192.168.43.1       US        wlan0
default            192.168.43.1       UGS       wlan0
xxx     192.168.43.1       UGHS      wlan0
127.0.0.1          link#1             UH          lo0
128.0.0.0/1        192.168.43.1       US        wlan0
192.168.2.2        link#3             UH         tun0
192.168.43.0/24    link#2             U         wlan0
192.168.43.190     link#2             UHS         lo0 

Tunnel itself looks operational - keep alives are ticking. 

Logs for auto=start (works flawlessly)

Aug 25 16:33:47 sphinx doas: xxx ran command service strongswan
onerestart as root from /home/xxx
Aug 25 16:33:47 sphinx charon: 00[DMN] signal of type SIGINT received.
Shutting down
Aug 25 16:33:47 sphinx charon: 00[IKE] deleting IKE_SA xxx[1] between
192.168.43.190[C=RU, O=xxx, CN=sphinx.xxxxxx]...xxx[C=RU, O=xxx,
CN=xxxxxx]
Aug 25 16:33:47 sphinx charon: 00[IKE] sending DELETE for IKE_SA xxx[1]
Aug 25 16:33:47 sphinx charon: 00[ENC] generating INFORMATIONAL request
3 [ D ]
Aug 25 16:33:47 sphinx charon: 00[NET] sending packet: from
192.168.43.190[4500] to xxx[4500] (76 bytes)
Aug 25 16:33:47 sphinx charon: 00[IKE] removing DNS server 10.0.10.1 via
resolvconf
Aug 25 16:33:47 sphinx charon: 16[KNL] interface tun0 deactivated
Aug 25 16:33:47 sphinx charon: 16[KNL] interface tun0 disappeared
Aug 25 16:33:47 sphinx ipsec_starter[53281]: charon stopped after 200 ms
Aug 25 16:33:47 sphinx ipsec_starter[53281]: ipsec starter stopped
Aug 25 16:33:49 sphinx ipsec_starter[53351]: Starting strongSwan 5.5.0
IPsec [starter]...
Aug 25 16:33:49 sphinx ipsec_starter[53351]: no netkey IPsec stack
detected
Aug 25 16:33:49 sphinx ipsec_starter[53351]: no KLIPS IPsec stack
detected
Aug 25 16:33:49 sphinx ipsec_starter[53351]: no known IPsec stack
detected, ignoring!
Aug 25 16:33:49 sphinx charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.5.0, FreeBSD 11.0-RC1, amd64)
Aug 25 16:33:49 sphinx charon: 00[NET] could not open socket: Address
family not supported by protocol family
Aug 25 16:33:49 sphinx charon: 00[NET] could not open IPv6 socket, IPv6
disabled
Aug 25 16:33:49 sphinx charon: 00[CFG] loading ca certificates from
'/usr/local/etc/ipsec.d/cacerts'
Aug 25 16:33:49 sphinx charon: 00[CFG]   loaded ca certificate "C=RU,
O=xxx, CN=xxxxxx CA" from
'/usr/local/etc/ipsec.d/cacerts/ipsec-ca-cert.pem'
Aug 25 16:33:49 sphinx charon: 00[CFG] loading aa certificates from
'/usr/local/etc/ipsec.d/aacerts'
Aug 25 16:33:49 sphinx charon: 00[CFG] loading ocsp signer certificates
from '/usr/local/etc/ipsec.d/ocspcerts'
Aug 25 16:33:49 sphinx charon: 00[CFG] loading attribute certificates
from '/usr/local/etc/ipsec.d/acerts'
Aug 25 16:33:49 sphinx charon: 00[CFG] loading crls from
'/usr/local/etc/ipsec.d/crls'
Aug 25 16:33:49 sphinx charon: 00[CFG] loading secrets from
'/usr/local/etc/ipsec.secrets'
Aug 25 16:33:49 sphinx charon: 00[CFG]   loaded RSA private key from
'/usr/local/etc/ipsec.d/private/ipsec-sphinx-key.pem'
Aug 25 16:33:49 sphinx charon: 00[LIB] loaded plugins: charon aes des
blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints
pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf
xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default
stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls
eap-peap whitelist addrblock
Aug 25 16:33:49 sphinx charon: 00[JOB] spawning 16 worker threads
Aug 25 16:33:49 sphinx ipsec_starter[53406]: charon (53407) started
after 20 ms
Aug 25 16:33:49 sphinx charon: 05[CFG] received stroke: add connection
'xxx'
Aug 25 16:33:49 sphinx charon: 05[CFG]   loaded certificate "C=RU,
O=xxx, CN=sphinx.xxxxxx" from 'ipsec-sphinx-cert.pem'
Aug 25 16:33:49 sphinx charon: 05[CFG] added configuration 'xxx'
Aug 25 16:33:49 sphinx charon: 16[CFG] received stroke: initiate 'xxx'
Aug 25 16:33:49 sphinx charon: 16[IKE] initiating IKE_SA xxx[1] to xxx
Aug 25 16:33:49 sphinx charon: 16[ENC] generating IKE_SA_INIT request 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
N(REDIR_SUP) ]
Aug 25 16:33:49 sphinx charon: 16[NET] sending packet: from
192.168.43.190[500] to xxx[500] (1156 bytes)
Aug 25 16:33:50 sphinx charon: 16[NET] received packet: from xxx[500] to
192.168.43.190[500] (38 bytes)
Aug 25 16:33:50 sphinx charon: 16[ENC] parsed IKE_SA_INIT response 0 [
N(INVAL_KE) ]
Aug 25 16:33:50 sphinx charon: 16[IKE] peer didn't accept DH group
MODP_3072, it requested MODP_2048
Aug 25 16:33:50 sphinx charon: 16[IKE] initiating IKE_SA xxx[1] to xxx
Aug 25 16:33:50 sphinx charon: 16[ENC] generating IKE_SA_INIT request 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
N(REDIR_SUP) ]
Aug 25 16:33:50 sphinx charon: 16[NET] sending packet: from
192.168.43.190[500] to xxx[500] (1028 bytes)
Aug 25 16:33:50 sphinx charon: 16[NET] received packet: from xxx[500] to
192.168.43.190[500] (489 bytes)
Aug 25 16:33:50 sphinx charon: 16[ENC] parsed IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG)
N(MULT_AUTH) ]
Aug 25 16:33:50 sphinx charon: 16[IKE] local host is behind NAT, sending
keep alives
Aug 25 16:33:50 sphinx charon: 16[IKE] received cert request for "C=RU,
O=xxx, CN=xxxxxx CA"
Aug 25 16:33:50 sphinx charon: 16[IKE] sending cert request for "C=RU,
O=xxx, CN=xxxxxx CA"
Aug 25 16:33:50 sphinx charon: 16[IKE] authentication of 'C=RU, O=xxx,
CN=sphinx.xxxxxx' (myself) with RSA_EMSA_PKCS1_SHA256 successful
Aug 25 16:33:50 sphinx charon: 16[IKE] sending end entity cert "C=RU,
O=xxx, CN=sphinx.xxxxxx"
Aug 25 16:33:50 sphinx charon: 16[IKE] establishing CHILD_SA xxx
Aug 25 16:33:50 sphinx charon: 16[ENC] generating IKE_AUTH request 1 [
IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS)
N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH)
N(EAP_ONLY) ]
Aug 25 16:33:50 sphinx charon: 16[ENC] splitting IKE message with length
of 1644 bytes into 4 fragments
Aug 25 16:33:50 sphinx charon: 16[ENC] generating IKE_AUTH request 1 [
EF(1/4) ]
Aug 25 16:33:50 sphinx charon: 16[ENC] generating IKE_AUTH request 1 [
EF(2/4) ]
Aug 25 16:33:50 sphinx charon: 16[ENC] generating IKE_AUTH request 1 [
EF(3/4) ]
Aug 25 16:33:50 sphinx charon: 16[ENC] generating IKE_AUTH request 1 [
EF(4/4) ]
Aug 25 16:33:50 sphinx charon: 16[NET] sending packet: from
192.168.43.190[4500] to xxx[4500] (544 bytes)
Aug 25 16:33:50 sphinx last message repeated 2 times
Aug 25 16:33:50 sphinx charon: 16[NET] sending packet: from
192.168.43.190[4500] to xxx[4500] (208 bytes)
Aug 25 16:33:50 sphinx charon: 16[NET] received packet: from xxx[4500]
to 192.168.43.190[4500] (544 bytes)
Aug 25 16:33:50 sphinx charon: 16[ENC] parsed IKE_AUTH response 1 [
EF(1/3) ]
Aug 25 16:33:50 sphinx charon: 16[ENC] received fragment #1 of 3,
waiting for complete IKE message
Aug 25 16:33:50 sphinx charon: 15[NET] received packet: from xxx[4500]
to 192.168.43.190[4500] (544 bytes)
Aug 25 16:33:50 sphinx charon: 15[ENC] parsed IKE_AUTH response 1 [
EF(2/3) ]
Aug 25 16:33:50 sphinx charon: 15[ENC] received fragment #2 of 3,
waiting for complete IKE message
Aug 25 16:33:50 sphinx charon: 15[NET] received packet: from xxx[4500]
to 192.168.43.190[4500] (416 bytes)
Aug 25 16:33:50 sphinx charon: 15[ENC] parsed IKE_AUTH response 1 [
EF(3/3) ]
Aug 25 16:33:50 sphinx charon: 15[ENC] received fragment #3 of 3,
reassembling fragmented IKE message
Aug 25 16:33:50 sphinx charon: 15[ENC] parsed IKE_AUTH response 1 [ IDr
CERT AUTH CPRP(ADDR DNS) N(ESP_TFC_PAD_N) SA TSi TSr ]
Aug 25 16:33:50 sphinx charon: 15[IKE] received end entity cert "C=RU,
O=xxx, CN=xxxxxx"
Aug 25 16:33:50 sphinx charon: 15[CFG]   using certificate "C=RU, O=xxx,
CN=xxxxxx"
Aug 25 16:33:50 sphinx charon: 15[CFG]   using trusted ca certificate
"C=RU, O=xxx, CN=xxxxxx CA"
Aug 25 16:33:50 sphinx charon: 15[CFG] checking certificate status of
"C=RU, O=xxx, CN=xxxxxx"
Aug 25 16:33:50 sphinx charon: 15[CFG] certificate status is not
available
Aug 25 16:33:50 sphinx charon: 15[CFG]   reached self-signed root ca
with a path length of 0
Aug 25 16:33:50 sphinx charon: 15[IKE] authentication of 'C=RU, O=xxx,
CN=xxxxxx' with RSA_EMSA_PKCS1_SHA256 successful
Aug 25 16:33:50 sphinx charon: 15[IKE] IKE_SA xxx[1] established between
192.168.43.190[C=RU, O=xxx, CN=sphinx.xxxxxx]...xxx[C=RU, O=xxx,
CN=xxxxxx]
Aug 25 16:33:50 sphinx charon: 15[IKE] scheduling reauthentication in
85841s
Aug 25 16:33:50 sphinx charon: 15[IKE] maximum IKE_SA lifetime 86381s
Aug 25 16:33:50 sphinx charon: 15[IKE] installing DNS server 10.0.10.1
via resolvconf
Aug 25 16:33:50 sphinx charon: 15[IKE] installing new virtual IP
192.168.2.2
Aug 25 16:33:50 sphinx charon: 15[LIB] created TUN device: tun0
Aug 25 16:33:50 sphinx charon: 16[KNL] interface tun0 appeared
Aug 25 16:33:50 sphinx charon: 16[KNL] interface tun0 activated
Aug 25 16:33:50 sphinx charon: 15[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Aug 25 16:33:50 sphinx charon: 15[IKE] CHILD_SA xxx{1} established with
SPIs cf4bfaa3_i ce858a28_o and TS 192.168.2.2/32 === 0.0.0.0/0 

Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          192.168.43.1       US         tun0
default            192.168.43.1       UGS       wlan0
xxxxxx          192.168.43.1       UGHS      wlan0
localhost          link#1             UH          lo0
128.0.0.0/1        192.168.43.1       US         tun0
192.168.2.2        link#3             UH         tun0
192.168.43.0/24    link#2             U         wlan0
192.168.43.190     link#2             UHS         lo0 

Logs look the same for me. 

Looks like we should go deeper ? I don't understand the difference b/w
auto=start and auto=route after tunnel is established. Maybe route
option has some additional requirements?

More information about the Users mailing list