[strongSwan] MacOS: IKEv1 fails after wakeup

Harald Dunkel harri at afaics.de
Sat Mar 12 14:41:08 CET 2016


Hi Tobias,

On 03/11/16 10:03, Tobias Brunner wrote:
> 
> One potential issue I hadn't considered so far is that while the client
> is asleep the mapping on the NAT router might time out (it probably does
> not send keepalives while asleep).  So when it reconnects it will do so
> from different source ports from the server's point of view.  Due to
> that the reauthentication detection will not recognize the new SA as
> reauthentication attempt and therefore not migrate the previous virtual
> IP.  So you'd end up in the same situation as before (i.e. the traffic
> selectors don't match and the CHILD_SA can't be established).  Try to
> compare the client's source ports to see if that's what happens here.
> 

I managed to configure my gateway at home to keep the mapped port number
(UDP) for 24h. This is the code for OpenBSD 5.8 packet filter:

:
pass in  quick on intern proto udp from (intern:network) to <peers> port isakmp      tag RED_INET_IPSEC keep state (if-bound, max 256, udp.multiple 86400)
pass in  quick on intern proto udp from (intern:network) to <peers> port ipsec-nat-t tag RED_INET_IPSEC keep state (if-bound, max 256, udp.multiple 86400)
pass out quick on egress tagged RED_INET_IPSEC
:

Maybe 24h is not reasonable, but at least this fixes the lost
UDP port number for now.

Problem is: Now it fails on the left side with "received quick mode
request for unestablished IKE_SA, ignored" (see the attached logfile).

:
Mar 12 11:55:12 srvl047 charon: 26[IKE] authentication of 'gate1.example.com' (myself) successful
Mar 12 11:55:12 srvl047 charon: 26[IKE] queueing XAUTH task
Mar 12 11:55:12 srvl047 charon: 26[IKE] sending end entity cert "C=DE, ST=NRW, L=Aachen, O=example AG, CN=gate1.example.com/emailAddress=security at example.com"
Mar 12 11:55:12 srvl047 charon: 26[IKE] sending issuer cert "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:55:12 srvl047 charon: 26[ENC] generating ID_PROT response 0 [ ID CERT CERT SIG ]
Mar 12 11:55:12 srvl047 charon: 26[NET] sending packet: from 10.0.0.17[4500] to 192.168.0.17[60361] (3708 bytes)
Mar 12 11:55:12 srvl047 charon: 26[IKE] activating new tasks
Mar 12 11:55:12 srvl047 charon: 26[IKE]   activating XAUTH task
Mar 12 11:55:12 srvl047 charon: 03[NET] sending packet: from 10.0.0.17[4500] to 192.168.0.17[60361]
Mar 12 11:55:12 srvl047 charon: 26[IKE] Hash => 20 bytes @ 0x7f3e1c0069b0
Mar 12 11:55:12 srvl047 charon: 26[IKE]    0: 41 2B 58 8B BA C5 FD 1D B2 8F CC 78 F0 83 D9 39  A+X........x...9
Mar 12 11:55:12 srvl047 charon: 26[IKE]   16: 16 01 44 94                                      ..D.
Mar 12 11:55:12 srvl047 charon: 26[ENC] generating TRANSACTION request 34192379 [ HASH CPRQ(X_USER X_PWD) ]
Mar 12 11:55:12 srvl047 charon: 26[NET] sending packet: from 10.0.0.17[4500] to 192.168.0.17[60361] (76 bytes)
Mar 12 11:55:12 srvl047 charon: 03[NET] sending packet: from 10.0.0.17[4500] to 192.168.0.17[60361]
Mar 12 11:55:13 srvl047 charon: 02[NET] received packet: from 192.168.0.17[60361] to 10.0.0.17[4500]
Mar 12 11:55:13 srvl047 charon: 02[NET] waiting for data on sockets
Mar 12 11:55:13 srvl047 charon: 20[NET] received packet: from 192.168.0.17[60361] to 10.0.0.17[4500] (300 bytes)
Mar 12 11:55:13 srvl047 charon: 20[ENC] parsed QUICK_MODE request 3495102926 [ HASH SA No ID ID ]
Mar 12 11:55:13 srvl047 charon: 20[IKE] Hash(1) => 20 bytes @ 0x7f3e34010fb0
Mar 12 11:55:13 srvl047 charon: 20[IKE]    0: 49 7A 47 EE F1 2F B4 F7 D2 8A 1D BB DC 8B CC 9F  IzG../..........
Mar 12 11:55:13 srvl047 charon: 20[IKE]   16: C0 D9 32 69                                      ..2i
Mar 12 11:55:13 srvl047 charon: 20[IKE] received quick mode request for unestablished IKE_SA, ignored
Mar 12 11:55:13 srvl047 charon: 20[IKE] IKE_SA CiscoIPSec[178] state change: CONNECTING => DESTROYING

I have no idea why the Mac opens a new session now, instead of relying
upon the old IKE_SA, but it seems to me that the Mac missed to send
xauth info. Is this correct?


Every helpful suggestion is highly welcome
Regards
Harri

-------------- next part --------------
Mar 12 11:20:37 srvl047 charon: 02[NET] received packet: from 192.168.0.17[53195] to 10.0.0.17[500]
Mar 12 11:20:37 srvl047 charon: 02[NET] waiting for data on sockets
Mar 12 11:20:37 srvl047 charon: 20[NET] received packet: from 192.168.0.17[53195] to 10.0.0.17[500] (668 bytes)
Mar 12 11:20:37 srvl047 charon: 20[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Mar 12 11:20:37 srvl047 charon: 20[CFG] looking for an ike config for 10.0.0.17...192.168.0.17
Mar 12 11:20:37 srvl047 charon: 20[CFG] ike config match: 0 (10.0.0.17 192.168.0.17 IKEv1)
Mar 12 11:20:37 srvl047 charon: 20[CFG] ike config match: 0 (10.0.0.17 192.168.0.17 IKEv1)
Mar 12 11:20:37 srvl047 charon: 20[CFG] ike config match: 1052 (10.0.0.17 192.168.0.17 IKEv1)
Mar 12 11:20:37 srvl047 charon: 20[CFG]   candidate: gate1.example.com...%any, prio 1052
Mar 12 11:20:37 srvl047 charon: 20[CFG] ike config match: 1052 (10.0.0.17 192.168.0.17 IKEv1)
Mar 12 11:20:37 srvl047 charon: 20[CFG]   candidate: gate1.example.com...%any, prio 1052
Mar 12 11:20:37 srvl047 charon: 20[CFG] ike config match: 0 (10.0.0.17 192.168.0.17 IKEv1)
Mar 12 11:20:37 srvl047 charon: 20[CFG] found matching ike config: gate1.example.com...%any with prio 1052
Mar 12 11:20:37 srvl047 charon: 20[IKE] received NAT-T (RFC 3947) vendor ID
Mar 12 11:20:37 srvl047 charon: 20[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Mar 12 11:20:37 srvl047 charon: 20[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Mar 12 11:20:37 srvl047 charon: 20[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Mar 12 11:20:37 srvl047 charon: 20[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Mar 12 11:20:37 srvl047 charon: 20[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Mar 12 11:20:37 srvl047 charon: 20[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Mar 12 11:20:37 srvl047 charon: 20[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 12 11:20:37 srvl047 charon: 20[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Mar 12 11:20:37 srvl047 charon: 20[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 12 11:20:37 srvl047 charon: 20[IKE] received XAuth vendor ID
Mar 12 11:20:37 srvl047 charon: 20[IKE] received Cisco Unity vendor ID
Mar 12 11:20:37 srvl047 charon: 20[IKE] received FRAGMENTATION vendor ID
Mar 12 11:20:37 srvl047 charon: 20[IKE] received DPD vendor ID
Mar 12 11:20:37 srvl047 charon: 20[IKE] 192.168.0.17 is initiating a Main Mode IKE_SA
Mar 12 11:20:37 srvl047 charon: 20[IKE] IKE_SA (unnamed)[171] state change: CREATED => CONNECTING
Mar 12 11:20:37 srvl047 charon: 20[CFG] selecting proposal:
Mar 12 11:20:37 srvl047 charon: 20[CFG]   proposal matches
Mar 12 11:20:37 srvl047 charon: 20[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Mar 12 11:20:37 srvl047 charon: 20[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Mar 12 11:20:37 srvl047 charon: 20[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Mar 12 11:20:37 srvl047 charon: 20[IKE] sending strongSwan vendor ID
Mar 12 11:20:37 srvl047 charon: 20[IKE] sending XAuth vendor ID
Mar 12 11:20:37 srvl047 charon: 20[IKE] sending DPD vendor ID
Mar 12 11:20:37 srvl047 charon: 20[IKE] sending NAT-T (RFC 3947) vendor ID
Mar 12 11:20:37 srvl047 charon: 20[ENC] generating ID_PROT response 0 [ SA V V V V ]
Mar 12 11:20:37 srvl047 charon: 20[NET] sending packet: from 10.0.0.17[500] to 192.168.0.17[53195] (156 bytes)
Mar 12 11:20:37 srvl047 charon: 03[NET] sending packet: from 10.0.0.17[500] to 192.168.0.17[53195]
Mar 12 11:20:37 srvl047 charon: 02[NET] received packet: from 192.168.0.17[53195] to 10.0.0.17[500]
Mar 12 11:20:37 srvl047 charon: 02[NET] waiting for data on sockets
Mar 12 11:20:37 srvl047 charon: 29[NET] received packet: from 192.168.0.17[53195] to 10.0.0.17[500] (292 bytes)
Mar 12 11:20:37 srvl047 charon: 29[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Mar 12 11:20:37 srvl047 charon: 29[IKE] natd_chunk => 22 bytes @ 0x7f3e85aadb70
Mar 12 11:20:37 srvl047 charon: 29[IKE]    0: 1F 6A CC 5B 3E A8 17 9B CE 57 96 23 65 F5 9B 9C  .j.[>....W.#e...
Mar 12 11:20:37 srvl047 charon: 29[IKE]   16: 05 91 8E 11 01 F4                                ......
Mar 12 11:20:37 srvl047 charon: 29[IKE] natd_hash => 20 bytes @ 0x7f3e18004c30
Mar 12 11:20:37 srvl047 charon: 29[IKE]    0: DE 33 B8 01 FB 14 F2 9C 51 69 4C 53 9B CC A8 03  .3......QiLS....
Mar 12 11:20:37 srvl047 charon: 29[IKE]   16: D9 3B 88 F1                                      .;..
Mar 12 11:20:37 srvl047 charon: 29[IKE] natd_chunk => 22 bytes @ 0x7f3e85aadb70
Mar 12 11:20:37 srvl047 charon: 29[IKE]    0: 1F 6A CC 5B 3E A8 17 9B CE 57 96 23 65 F5 9B 9C  .j.[>....W.#e...
Mar 12 11:20:37 srvl047 charon: 29[IKE]   16: D9 EB 92 11 CF CB                                ......
Mar 12 11:20:37 srvl047 charon: 29[IKE] natd_hash => 20 bytes @ 0x7f3e18004c50
Mar 12 11:20:37 srvl047 charon: 29[IKE]    0: 84 86 EC D6 50 72 C0 B5 3F DA E3 8F 6D D8 59 A8  ....Pr..?...m.Y.
Mar 12 11:20:37 srvl047 charon: 29[IKE]   16: 79 2A 4E 3E                                      y*N>
Mar 12 11:20:37 srvl047 charon: 29[IKE] precalculated src_hash => 20 bytes @ 0x7f3e18004c50
Mar 12 11:20:37 srvl047 charon: 29[IKE]    0: 84 86 EC D6 50 72 C0 B5 3F DA E3 8F 6D D8 59 A8  ....Pr..?...m.Y.
Mar 12 11:20:37 srvl047 charon: 29[IKE]   16: 79 2A 4E 3E                                      y*N>
Mar 12 11:20:37 srvl047 charon: 29[IKE] precalculated dst_hash => 20 bytes @ 0x7f3e18004c30
Mar 12 11:20:37 srvl047 charon: 29[IKE]    0: DE 33 B8 01 FB 14 F2 9C 51 69 4C 53 9B CC A8 03  .3......QiLS....
Mar 12 11:20:37 srvl047 charon: 29[IKE]   16: D9 3B 88 F1                                      .;..
Mar 12 11:20:37 srvl047 charon: 29[IKE] received dst_hash => 20 bytes @ 0x7f3e18000bd0
Mar 12 11:20:37 srvl047 charon: 29[IKE]    0: DE 33 B8 01 FB 14 F2 9C 51 69 4C 53 9B CC A8 03  .3......QiLS....
Mar 12 11:20:37 srvl047 charon: 29[IKE]   16: D9 3B 88 F1                                      .;..
Mar 12 11:20:37 srvl047 charon: 29[IKE] received src_hash => 20 bytes @ 0x7f3e1800a7f0
Mar 12 11:20:37 srvl047 charon: 29[IKE]    0: 01 8F 8D BE B3 A5 E8 11 E1 0F D7 AA 62 D3 4F 1C  ............b.O.
Mar 12 11:20:37 srvl047 charon: 29[IKE]   16: D2 1E 98 FC                                      ....
Mar 12 11:20:37 srvl047 charon: 29[IKE] remote host is behind NAT
Mar 12 11:20:37 srvl047 charon: 29[IKE] sending cert request for "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA"
Mar 12 11:20:37 srvl047 charon: 29[IKE] sending cert request for "C=DE, ST=NRW, L=Aachen, O=example AG, OU=TI, CN=IPsec_ca, E=security at example.com"
Mar 12 11:20:37 srvl047 charon: 29[IKE] sending cert request for "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:20:37 srvl047 charon: 29[IKE] natd_chunk => 22 bytes @ 0x7f3e85aadb90
Mar 12 11:20:37 srvl047 charon: 29[IKE]    0: 1F 6A CC 5B 3E A8 17 9B CE 57 96 23 65 F5 9B 9C  .j.[>....W.#e...
Mar 12 11:20:37 srvl047 charon: 29[IKE]   16: D9 EB 92 11 CF CB                                ......
Mar 12 11:20:37 srvl047 charon: 29[IKE] natd_hash => 20 bytes @ 0x7f3e1800a790
Mar 12 11:20:37 srvl047 charon: 29[IKE]    0: 84 86 EC D6 50 72 C0 B5 3F DA E3 8F 6D D8 59 A8  ....Pr..?...m.Y.
Mar 12 11:20:37 srvl047 charon: 29[IKE]   16: 79 2A 4E 3E                                      y*N>
Mar 12 11:20:37 srvl047 charon: 29[IKE] natd_chunk => 22 bytes @ 0x7f3e85aadb90
Mar 12 11:20:37 srvl047 charon: 29[IKE]    0: 1F 6A CC 5B 3E A8 17 9B CE 57 96 23 65 F5 9B 9C  .j.[>....W.#e...
Mar 12 11:20:37 srvl047 charon: 29[IKE]   16: 05 91 8E 11 01 F4                                ......
Mar 12 11:20:37 srvl047 charon: 29[IKE] natd_hash => 20 bytes @ 0x7f3e18002c60
Mar 12 11:20:37 srvl047 charon: 29[IKE]    0: DE 33 B8 01 FB 14 F2 9C 51 69 4C 53 9B CC A8 03  .3......QiLS....
Mar 12 11:20:37 srvl047 charon: 29[IKE]   16: D9 3B 88 F1                                      .;..
Mar 12 11:20:37 srvl047 charon: 29[ENC] generating ID_PROT response 0 [ KE No CERTREQ CERTREQ CERTREQ NAT-D NAT-D ]
Mar 12 11:20:37 srvl047 charon: 29[NET] sending packet: from 10.0.0.17[500] to 192.168.0.17[53195] (653 bytes)
Mar 12 11:20:37 srvl047 charon: 03[NET] sending packet: from 10.0.0.17[500] to 192.168.0.17[53195]
Mar 12 11:20:37 srvl047 charon: 02[NET] received packet: from 192.168.0.17[60361] to 10.0.0.17[4500]
Mar 12 11:20:37 srvl047 charon: 02[NET] waiting for data on sockets
Mar 12 11:20:37 srvl047 charon: 26[NET] received packet: from 192.168.0.17[60361] to 10.0.0.17[4500] (2236 bytes)
Mar 12 11:20:37 srvl047 charon: 26[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Mar 12 11:20:37 srvl047 charon: 26[IKE] ignoring certificate request without data
Mar 12 11:20:37 srvl047 charon: 26[IKE] received end entity cert "C=DE, O=example AG, OU=TI, CN=ppcm018.ws.example.com"
Mar 12 11:20:37 srvl047 charon: 26[CFG] looking for XAuthInitRSA peer configs matching 10.0.0.17...192.168.0.17[C=DE, O=example AG, OU=TI, CN=ppcm018.ws.example.com]
Mar 12 11:20:37 srvl047 charon: 26[CFG] peer config match local: 1 (ID_ANY)
Mar 12 11:20:37 srvl047 charon: 26[CFG] peer config match remote: 1 (ID_DER_ASN1_DN -> 30:4d:31:0b:30:09:06:03:55:04:06:13:02:44:45:31:12:30:10:06:03:55:04:0a:13:09:61:69:78:69:67:6f:20:41:47:31:0b:30:09:06:03:55:04:0b:13:02:54:49:31:1d:30:1b:06:03:55:04:03:13:14:70:70:63:6d:30:31:38:2e:77:73:2e:61:69:78:69:67:6f:2e:64:65)
Mar 12 11:20:37 srvl047 charon: 26[CFG] ike config match: 0 (10.0.0.17 192.168.0.17 IKEv1)
Mar 12 11:20:37 srvl047 charon: 26[CFG] peer config match local: 1 (ID_ANY)
Mar 12 11:20:37 srvl047 charon: 26[CFG] peer config match remote: 1 (ID_DER_ASN1_DN -> 30:4d:31:0b:30:09:06:03:55:04:06:13:02:44:45:31:12:30:10:06:03:55:04:0a:13:09:61:69:78:69:67:6f:20:41:47:31:0b:30:09:06:03:55:04:0b:13:02:54:49:31:1d:30:1b:06:03:55:04:03:13:14:70:70:63:6d:30:31:38:2e:77:73:2e:61:69:78:69:67:6f:2e:64:65)
Mar 12 11:20:37 srvl047 charon: 26[CFG] ike config match: 0 (10.0.0.17 192.168.0.17 IKEv1)
Mar 12 11:20:37 srvl047 charon: 26[CFG] peer config match local: 1 (ID_ANY)
Mar 12 11:20:37 srvl047 charon: 26[CFG] peer config match remote: 1 (ID_DER_ASN1_DN -> 30:4d:31:0b:30:09:06:03:55:04:06:13:02:44:45:31:12:30:10:06:03:55:04:0a:13:09:61:69:78:69:67:6f:20:41:47:31:0b:30:09:06:03:55:04:0b:13:02:54:49:31:1d:30:1b:06:03:55:04:03:13:14:70:70:63:6d:30:31:38:2e:77:73:2e:61:69:78:69:67:6f:2e:64:65)
Mar 12 11:20:37 srvl047 charon: 26[CFG] ike config match: 1052 (10.0.0.17 192.168.0.17 IKEv1)
Mar 12 11:20:37 srvl047 charon: 26[CFG]   candidate "CiscoIPSec", match: 1/1/1052 (me/other/ike)
Mar 12 11:20:37 srvl047 charon: 26[CFG] peer config match local: 1 (ID_ANY)
Mar 12 11:20:37 srvl047 charon: 26[CFG] peer config match remote: 1 (ID_DER_ASN1_DN -> 30:4d:31:0b:30:09:06:03:55:04:06:13:02:44:45:31:12:30:10:06:03:55:04:0a:13:09:61:69:78:69:67:6f:20:41:47:31:0b:30:09:06:03:55:04:0b:13:02:54:49:31:1d:30:1b:06:03:55:04:03:13:14:70:70:63:6d:30:31:38:2e:77:73:2e:61:69:78:69:67:6f:2e:64:65)
Mar 12 11:20:37 srvl047 charon: 26[CFG] ike config match: 1052 (10.0.0.17 192.168.0.17 IKEv1)
Mar 12 11:20:37 srvl047 charon: 26[CFG]   candidate "CiscoIPSec-pam", match: 1/1/1052 (me/other/ike)
Mar 12 11:20:37 srvl047 charon: 26[CFG] peer config match local: 1 (ID_ANY)
Mar 12 11:20:37 srvl047 charon: 26[CFG] peer config match remote: 0 (ID_DER_ASN1_DN -> 30:4d:31:0b:30:09:06:03:55:04:06:13:02:44:45:31:12:30:10:06:03:55:04:0a:13:09:61:69:78:69:67:6f:20:41:47:31:0b:30:09:06:03:55:04:0b:13:02:54:49:31:1d:30:1b:06:03:55:04:03:13:14:70:70:63:6d:30:31:38:2e:77:73:2e:61:69:78:69:67:6f:2e:64:65)
Mar 12 11:20:37 srvl047 charon: 26[CFG] ike config match: 0 (10.0.0.17 192.168.0.17 IKEv1)
Mar 12 11:20:37 srvl047 charon: 26[CFG] selected peer config "CiscoIPSec"
Mar 12 11:20:37 srvl047 charon: 26[IKE] HASH_I data => 843 bytes @ 0x7f3e1c0094f0
Mar 12 11:20:37 srvl047 charon: 26[IKE]    0: 59 72 C8 3F 62 C4 89 19 52 23 61 C6 D3 D6 3A D1  Yr.?b...R#a...:.
Mar 12 11:20:37 srvl047 charon: 26[IKE]   16: 08 30 6F E1 9A F7 3C FA 1D 9A 74 34 83 3E 12 7A  .0o...<...t4.>.z
:
:
Mar 12 11:20:37 srvl047 charon: 26[IKE]  816: 06 03 55 04 03 13 14 70 70 63 6D 30 31 38 2E 77  ..U....ppcm018.w
Mar 12 11:20:37 srvl047 charon: 26[IKE]  832: 73 2E 61 69 78 69 67 6F 2E 64 65                 s.example.com
Mar 12 11:20:37 srvl047 charon: 26[IKE] HASH_I => 20 bytes @ 0x7f3e1c008f10
Mar 12 11:20:37 srvl047 charon: 26[IKE]    0: ED FD E4 91 CE FF 03 D8 5A 78 A6 13 1E 8B FA 70  ........Zx.....p
Mar 12 11:20:37 srvl047 charon: 26[IKE]   16: 55 2A B4 9F                                      U*..
Mar 12 11:20:37 srvl047 charon: 26[CFG]   using certificate "C=DE, O=example AG, OU=TI, CN=ppcm018.ws.example.com"
Mar 12 11:20:37 srvl047 charon: 26[CFG]   certificate "C=DE, O=example AG, OU=TI, CN=ppcm018.ws.example.com" key: 2048 bit RSA
Mar 12 11:20:37 srvl047 charon: 26[CFG]   using trusted intermediate ca certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:20:37 srvl047 charon: 26[CFG] checking certificate status of "C=DE, O=example AG, OU=TI, CN=ppcm018.ws.example.com"
Mar 12 11:20:37 srvl047 charon: 26[CFG] ocsp check skipped, no ocsp found
Mar 12 11:20:37 srvl047 charon: 26[CFG]   certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA" key: 4096 bit RSA
Mar 12 11:20:37 srvl047 charon: 26[CFG]   using trusted ca certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA"
Mar 12 11:20:37 srvl047 charon: 26[CFG]   certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA" key: 4096 bit RSA
Mar 12 11:20:37 srvl047 charon: 26[CFG]   reached self-signed root ca with a path length of 0
Mar 12 11:20:37 srvl047 charon: 26[CFG]   using trusted certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:20:37 srvl047 charon: 26[CFG]   crl correctly signed by "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:20:37 srvl047 charon: 26[CFG]   crl is valid: until Mar 15 08:42:47 2016
Mar 12 11:20:37 srvl047 charon: 26[CFG]   using cached crl
Mar 12 11:20:37 srvl047 charon: 26[CFG]   certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA" key: 4096 bit RSA
Mar 12 11:20:37 srvl047 charon: 26[CFG]   using trusted ca certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA"
Mar 12 11:20:37 srvl047 charon: 26[CFG]   certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA" key: 4096 bit RSA
Mar 12 11:20:37 srvl047 charon: 26[CFG]   reached self-signed root ca with a path length of 0
Mar 12 11:20:37 srvl047 charon: 26[CFG]   using trusted certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:20:37 srvl047 charon: 26[CFG]   crl correctly signed by "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:20:37 srvl047 charon: 26[CFG]   crl is stale: since Mar 12 08:42:47 2016
Mar 12 11:20:37 srvl047 charon: 26[CFG]   certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA" key: 4096 bit RSA
Mar 12 11:20:37 srvl047 charon: 26[CFG]   using trusted ca certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA"
Mar 12 11:20:37 srvl047 charon: 26[CFG]   certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA" key: 4096 bit RSA
Mar 12 11:20:37 srvl047 charon: 26[CFG]   reached self-signed root ca with a path length of 0
Mar 12 11:20:37 srvl047 charon: 26[CFG]   using trusted certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:20:37 srvl047 charon: 26[CFG]   crl correctly signed by "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:20:37 srvl047 charon: 26[LIB]   crl #01:2d is newer - existing crl #01:2c replaced
Mar 12 11:20:37 srvl047 charon: 26[CFG]   crl is valid: until Mar 13 08:42:47 2016
Mar 12 11:20:37 srvl047 charon: 26[CFG]   using cached crl
Mar 12 11:20:37 srvl047 charon: 26[CFG] certificate status is good
Mar 12 11:20:37 srvl047 charon: 26[CFG]   certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA" key: 4096 bit RSA
Mar 12 11:20:37 srvl047 charon: 26[CFG]   using trusted ca certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA"
Mar 12 11:20:37 srvl047 charon: 26[CFG] checking certificate status of "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:20:37 srvl047 charon: 26[CFG] ocsp check skipped, no ocsp found
Mar 12 11:20:37 srvl047 charon: 26[CFG]   using trusted certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA"
Mar 12 11:20:37 srvl047 charon: 26[CFG]   crl correctly signed by "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA"
Mar 12 11:20:37 srvl047 charon: 26[CFG]   crl is valid: until Dec 20 11:33:09 2045
Mar 12 11:20:37 srvl047 charon: 26[CFG]   using cached crl
Mar 12 11:20:37 srvl047 charon: 26[CFG] certificate status is good
Mar 12 11:20:37 srvl047 charon: 26[CFG]   certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA" key: 4096 bit RSA
Mar 12 11:20:37 srvl047 charon: 26[CFG]   reached self-signed root ca with a path length of 1
Mar 12 11:20:37 srvl047 charon: 26[IKE] authentication of 'C=DE, O=example AG, OU=TI, CN=ppcm018.ws.example.com' with RSA successful
Mar 12 11:20:37 srvl047 charon: 26[IKE] HASH_R data => 783 bytes @ 0x7f3e1c00a090
Mar 12 11:20:37 srvl047 charon: 26[IKE]    0: F2 C3 44 93 31 64 9E 73 35 AA C8 E2 16 AB 45 23  ..D.1d.s5.....E#
Mar 12 11:20:37 srvl047 charon: 26[IKE]   16: 14 3F 04 56 8E D3 6C 82 CE FF 81 A7 F2 A4 F9 48  .?.V..l........H
:
:
Mar 12 11:20:37 srvl047 charon: 26[IKE]  752: 80 02 00 01 80 04 00 02 02 00 00 00 73 74 61 72  ............gate
Mar 12 11:20:37 srvl047 charon: 26[IKE]  768: 67 61 74 65 2E 61 69 78 69 67 6F 2E 63 6F 6D     1.example.com
Mar 12 11:20:37 srvl047 charon: 26[IKE] HASH_R => 20 bytes @ 0x7f3e1c0019a0
Mar 12 11:20:37 srvl047 charon: 26[IKE]    0: A3 18 80 DF 71 4C 2C 92 80 85 ED DA 15 48 AF 32  ....qL,......H.2
Mar 12 11:20:37 srvl047 charon: 26[IKE]   16: 69 E3 5F F4                                      i._.
Mar 12 11:20:37 srvl047 charon: 26[IKE] authentication of 'gate1.example.com' (myself) successful
Mar 12 11:20:37 srvl047 charon: 26[IKE] queueing XAUTH task
Mar 12 11:20:37 srvl047 charon: 26[IKE] sending end entity cert "C=DE, ST=NRW, L=Aachen, O=example AG, CN=gate1.example.com/emailAddress=security at example.com"
Mar 12 11:20:37 srvl047 charon: 26[IKE] sending issuer cert "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:20:37 srvl047 charon: 26[ENC] generating ID_PROT response 0 [ ID CERT CERT SIG ]
Mar 12 11:20:37 srvl047 charon: 26[NET] sending packet: from 10.0.0.17[4500] to 192.168.0.17[60361] (3708 bytes)
Mar 12 11:20:37 srvl047 charon: 26[IKE] activating new tasks
Mar 12 11:20:37 srvl047 charon: 26[IKE]   activating XAUTH task
Mar 12 11:20:37 srvl047 charon: 03[NET] sending packet: from 10.0.0.17[4500] to 192.168.0.17[60361]
Mar 12 11:20:37 srvl047 charon: 26[IKE] Hash => 20 bytes @ 0x7f3e1c003c80
Mar 12 11:20:37 srvl047 charon: 26[IKE]    0: 15 E7 87 CD 6B 1D 67 11 2D 7C 26 74 32 11 A9 5F  ....k.g.-|&t2.._
Mar 12 11:20:37 srvl047 charon: 26[IKE]   16: DC C5 3E E5                                      ..>.
Mar 12 11:20:37 srvl047 charon: 26[ENC] generating TRANSACTION request 2917824958 [ HASH CPRQ(X_USER X_PWD) ]
Mar 12 11:20:37 srvl047 charon: 26[NET] sending packet: from 10.0.0.17[4500] to 192.168.0.17[60361] (76 bytes)
Mar 12 11:20:37 srvl047 charon: 03[NET] sending packet: from 10.0.0.17[4500] to 192.168.0.17[60361]
Mar 12 11:20:37 srvl047 charon: 02[NET] received packet: from 192.168.0.17[60361] to 10.0.0.17[4500]
Mar 12 11:20:37 srvl047 charon: 02[NET] waiting for data on sockets
Mar 12 11:20:37 srvl047 charon: 19[NET] received packet: from 192.168.0.17[60361] to 10.0.0.17[4500] (92 bytes)
Mar 12 11:20:37 srvl047 charon: 19[ENC] parsed TRANSACTION response 2917824958 [ HASH CPRP(X_USER X_PWD) ]
Mar 12 11:20:37 srvl047 charon: 19[IKE] Hash => 20 bytes @ 0x7f3e40001980
Mar 12 11:20:37 srvl047 charon: 19[IKE]    0: EB C0 B5 BE 1B 2D B6 65 C3 0F E8 45 D8 13 CE 84  .....-.e...E....
Mar 12 11:20:37 srvl047 charon: 19[IKE]   16: 13 D5 0F B0                                      ....
Mar 12 11:20:37 srvl047 charon: 19[IKE] XAuth authentication of 'ppcm018' successful
Mar 12 11:20:37 srvl047 charon: 19[IKE] reinitiating already active tasks
Mar 12 11:20:37 srvl047 charon: 19[IKE]   XAUTH task
Mar 12 11:20:37 srvl047 charon: 19[IKE] Hash => 20 bytes @ 0x7f3e40000b70
Mar 12 11:20:37 srvl047 charon: 19[IKE]    0: 05 04 9E 93 74 64 B5 E7 2B CB DB 86 25 8F 01 3E  ....td..+...%..>
Mar 12 11:20:37 srvl047 charon: 19[IKE]   16: BD 5D 33 56                                      .]3V
Mar 12 11:20:37 srvl047 charon: 19[ENC] generating TRANSACTION request 1618005064 [ HASH CPS(X_STATUS) ]
Mar 12 11:20:37 srvl047 charon: 19[NET] sending packet: from 10.0.0.17[4500] to 192.168.0.17[60361] (76 bytes)
Mar 12 11:20:37 srvl047 charon: 03[NET] sending packet: from 10.0.0.17[4500] to 192.168.0.17[60361]
Mar 12 11:20:37 srvl047 charon: 02[NET] received packet: from 192.168.0.17[60361] to 10.0.0.17[4500]
Mar 12 11:20:37 srvl047 charon: 02[NET] waiting for data on sockets
Mar 12 11:20:37 srvl047 charon: 13[NET] received packet: from 192.168.0.17[60361] to 10.0.0.17[4500] (76 bytes)
Mar 12 11:20:37 srvl047 charon: 13[ENC] parsed TRANSACTION response 1618005064 [ HASH CPA(X_STATUS) ]
Mar 12 11:20:37 srvl047 charon: 13[IKE] Hash => 20 bytes @ 0x7f3e58004420
Mar 12 11:20:37 srvl047 charon: 13[IKE]    0: 85 F7 8F C4 AB 1E A5 B1 EA 4A 3D 7F AE E5 9F D4  .........J=.....
Mar 12 11:20:37 srvl047 charon: 13[IKE]   16: 0D 04 EB 53                                      ...S
Mar 12 11:20:37 srvl047 charon: 13[IKE] IKE_SA CiscoIPSec[171] established between 10.0.0.17[gate1.example.com]...192.168.0.17[C=DE, O=example AG, OU=TI, CN=ppcm018.ws.example.com]
Mar 12 11:20:37 srvl047 charon: 13[IKE] IKE_SA CiscoIPSec[171] state change: CONNECTING => ESTABLISHED
Mar 12 11:20:37 srvl047 charon: 13[IKE] scheduling reauthentication in 10004s
Mar 12 11:20:37 srvl047 charon: 13[IKE] maximum IKE_SA lifetime 10544s
Mar 12 11:20:37 srvl047 charon: 13[IKE] activating new tasks
Mar 12 11:20:37 srvl047 charon: 13[IKE] nothing to initiate
Mar 12 11:20:37 srvl047 charon: 02[NET] received packet: from 192.168.0.17[60361] to 10.0.0.17[4500]
Mar 12 11:20:37 srvl047 charon: 02[NET] waiting for data on sockets
Mar 12 11:20:37 srvl047 charon: 28[NET] received packet: from 192.168.0.17[60361] to 10.0.0.17[4500] (172 bytes)
Mar 12 11:20:37 srvl047 charon: 28[ENC] unknown attribute type (28683)
Mar 12 11:20:37 srvl047 charon: 28[ENC] parsed TRANSACTION request 2316792513 [ HASH CPRQ(ADDR MASK DNS NBNS EXP VER U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN U_PFS U_SAVEPWD U_FWTYPE U_BKPSRV (28683)) ]
Mar 12 11:20:37 srvl047 charon: 28[IKE] Hash => 20 bytes @ 0x7f3e14002b00
Mar 12 11:20:37 srvl047 charon: 28[IKE]    0: D7 F1 44 2B A8 12 ED FF B2 F8 63 83 F4 26 FC 9D  ..D+......c..&..
Mar 12 11:20:37 srvl047 charon: 28[IKE]   16: 08 33 79 7B                                      .3y{
Mar 12 11:20:37 srvl047 charon: 28[IKE] processing INTERNAL_IP4_ADDRESS attribute
Mar 12 11:20:37 srvl047 charon: 28[IKE] processing INTERNAL_IP4_NETMASK attribute
Mar 12 11:20:37 srvl047 charon: 28[IKE] processing INTERNAL_IP4_DNS attribute
Mar 12 11:20:37 srvl047 charon: 28[IKE] processing INTERNAL_IP4_NBNS attribute
Mar 12 11:20:37 srvl047 charon: 28[IKE] processing INTERNAL_ADDRESS_EXPIRY attribute
Mar 12 11:20:37 srvl047 charon: 28[IKE] processing APPLICATION_VERSION attribute
Mar 12 11:20:37 srvl047 charon: 28[IKE] processing UNITY_BANNER attribute
Mar 12 11:20:37 srvl047 charon: 28[IKE] processing UNITY_DEF_DOMAIN attribute
Mar 12 11:20:37 srvl047 charon: 28[IKE] processing UNITY_SPLITDNS_NAME attribute
Mar 12 11:20:37 srvl047 charon: 28[IKE] processing UNITY_SPLIT_INCLUDE attribute
Mar 12 11:20:37 srvl047 charon: 28[IKE] processing UNITY_LOCAL_LAN attribute
Mar 12 11:20:37 srvl047 charon: 28[IKE] processing UNITY_PFS attribute
Mar 12 11:20:37 srvl047 charon: 28[IKE] processing UNITY_SAVE_PASSWD attribute
Mar 12 11:20:37 srvl047 charon: 28[IKE] processing UNITY_FW_TYPE attribute
Mar 12 11:20:37 srvl047 charon: 28[IKE] processing UNITY_BACKUP_SERVERS attribute
Mar 12 11:20:37 srvl047 charon: 28[IKE] processing (28683) attribute
Mar 12 11:20:37 srvl047 charon: 28[IKE] peer requested virtual IP %any
Mar 12 11:20:37 srvl047 charon: 28[CFG] sending DHCP DISCOVER to 255.255.255.255
Mar 12 11:20:37 srvl047 charon: 15[CFG] received DHCP OFFER 172.19.97.68 from 172.19.96.123
Mar 12 11:20:37 srvl047 charon: 28[CFG] sending DHCP REQUEST for 172.19.97.68 to 172.19.96.123
Mar 12 11:20:37 srvl047 charon: 28[CFG] sending DHCP REQUEST for 172.19.97.68 to 172.19.96.123
Mar 12 11:20:37 srvl047 charon: 14[CFG] received DHCP ACK for 172.19.97.68
Mar 12 11:20:37 srvl047 charon: 28[IKE] assigning virtual IP 172.19.97.68 to peer 'ppcm018'
Mar 12 11:20:37 srvl047 charon: 28[CFG] proposing traffic selectors for us:
Mar 12 11:20:37 srvl047 charon: 28[CFG]  172.19.96.0/19
Mar 12 11:20:37 srvl047 charon: 28[CFG] sending UNITY_SPLIT_INCLUDE: 172.19.96.0/19
Mar 12 11:20:37 srvl047 charon: 28[IKE] Hash => 20 bytes @ 0x7f3e14005c40
Mar 12 11:20:37 srvl047 charon: 28[IKE]    0: 80 BE FD 51 5A 78 15 50 D9 9B 2F 70 91 1F DD 42  ...QZx.P../p...B
Mar 12 11:20:37 srvl047 charon: 28[IKE]   16: 78 91 AD D6                                      x...
Mar 12 11:20:37 srvl047 charon: 28[ENC] generating TRANSACTION response 2316792513 [ HASH CPRP(ADDR DNS NBNS U_DEFDOM U_SPLITDNS DNS DNS NBNS U_SPLITINC) ]
Mar 12 11:20:37 srvl047 charon: 28[NET] sending packet: from 10.0.0.17[4500] to 192.168.0.17[60361] (316 bytes)
Mar 12 11:20:37 srvl047 charon: 03[NET] sending packet: from 10.0.0.17[4500] to 192.168.0.17[60361]
Mar 12 11:20:38 srvl047 charon: 02[NET] received packet: from 192.168.0.17[60361] to 10.0.0.17[4500]
Mar 12 11:20:38 srvl047 charon: 02[NET] waiting for data on sockets
Mar 12 11:20:38 srvl047 charon: 08[NET] received packet: from 192.168.0.17[60361] to 10.0.0.17[4500] (300 bytes)
Mar 12 11:20:38 srvl047 charon: 08[ENC] parsed QUICK_MODE request 4269954720 [ HASH SA No ID ID ]
Mar 12 11:20:38 srvl047 charon: 08[IKE] Hash(1) => 20 bytes @ 0x7f3e08001a70
Mar 12 11:20:38 srvl047 charon: 08[IKE]    0: 58 C9 04 87 1A 99 4C 7C A6 F3 5B 4D D5 33 D4 B9  X.....L|..[M.3..
Mar 12 11:20:38 srvl047 charon: 08[IKE]   16: 8F ED F8 6F                                      ...o
Mar 12 11:20:38 srvl047 charon: 08[CFG] looking for a child config for 172.19.96.0/19 === 172.19.97.68/32
Mar 12 11:20:38 srvl047 charon: 08[CFG] proposing traffic selectors for us:
Mar 12 11:20:38 srvl047 charon: 08[CFG]  172.19.96.0/19
Mar 12 11:20:38 srvl047 charon: 08[CFG] proposing traffic selectors for other:
Mar 12 11:20:38 srvl047 charon: 08[CFG]  172.19.97.68/32
Mar 12 11:20:38 srvl047 charon: 08[CFG]   candidate "CiscoIPSec" with prio 5+5
Mar 12 11:20:38 srvl047 charon: 08[CFG] found matching child config "CiscoIPSec" with prio 10
Mar 12 11:20:38 srvl047 charon: 08[CFG] selecting traffic selectors for other:
Mar 12 11:20:38 srvl047 charon: 08[CFG]  config: 172.19.97.68/32, received: 172.19.97.68/32 => match: 172.19.97.68/32
Mar 12 11:20:38 srvl047 charon: 08[CFG] selecting traffic selectors for us:
Mar 12 11:20:38 srvl047 charon: 08[CFG]  config: 172.19.96.0/19, received: 172.19.96.0/19 => match: 172.19.96.0/19
Mar 12 11:20:38 srvl047 charon: 08[CFG] selecting proposal:
Mar 12 11:20:38 srvl047 charon: 08[CFG]   proposal matches
Mar 12 11:20:38 srvl047 charon: 08[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Mar 12 11:20:38 srvl047 charon: 08[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Mar 12 11:20:38 srvl047 charon: 08[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Mar 12 11:20:38 srvl047 charon: 08[IKE] Hash(2) => 20 bytes @ 0x7f3e08005a60
Mar 12 11:20:38 srvl047 charon: 08[IKE]    0: 5F C7 2C 3F 72 12 AC DC C7 49 4D 53 4B 79 5E 67  _.,?r....IMSKy^g
Mar 12 11:20:38 srvl047 charon: 08[IKE]   16: 64 83 0F 38                                      d..8
Mar 12 11:20:38 srvl047 charon: 08[ENC] generating QUICK_MODE response 4269954720 [ HASH SA No ID ID ]
Mar 12 11:20:38 srvl047 charon: 08[NET] sending packet: from 10.0.0.17[4500] to 192.168.0.17[60361] (172 bytes)
Mar 12 11:20:38 srvl047 charon: 03[NET] sending packet: from 10.0.0.17[4500] to 192.168.0.17[60361]
Mar 12 11:20:38 srvl047 charon: 02[NET] received packet: from 192.168.0.17[60361] to 10.0.0.17[4500]
Mar 12 11:20:38 srvl047 charon: 02[NET] waiting for data on sockets
Mar 12 11:20:38 srvl047 charon: 07[NET] received packet: from 192.168.0.17[60361] to 10.0.0.17[4500] (60 bytes)
Mar 12 11:20:38 srvl047 charon: 07[ENC] parsed QUICK_MODE request 4269954720 [ HASH ]
Mar 12 11:20:38 srvl047 charon: 07[IKE] Hash(3) => 20 bytes @ 0x7f3e60002130
Mar 12 11:20:38 srvl047 charon: 07[IKE]    0: 40 CE D2 81 1B BC BB 99 5E 29 BE 6D 5A C8 50 D2  @.......^).mZ.P.
Mar 12 11:20:38 srvl047 charon: 07[IKE]   16: EF 1C C6 E5                                      ....
Mar 12 11:20:38 srvl047 charon: 07[CHD]   using AES_CBC for encryption
Mar 12 11:20:38 srvl047 charon: 07[CHD]   using HMAC_SHA1_96 for integrity
Mar 12 11:20:38 srvl047 charon: 07[CHD] adding inbound ESP SA
Mar 12 11:20:38 srvl047 charon: 07[CHD]   SPI 0xc3fcc6a3, src 192.168.0.17 dst 10.0.0.17
Mar 12 11:20:38 srvl047 charon: 07[CHD] adding outbound ESP SA
Mar 12 11:20:38 srvl047 charon: 07[CHD]   SPI 0x0f18953b, src 10.0.0.17 dst 192.168.0.17
Mar 12 11:20:38 srvl047 charon: 07[IKE] CHILD_SA CiscoIPSec{406} established with SPIs c3fcc6a3_i 0f18953b_o and TS 172.19.96.0/19 === 172.19.97.68/32

# gotosleep
:
:
# wakeup

Mar 12 11:55:12 srvl047 charon: 02[NET] received packet: from 192.168.0.17[53195] to 10.0.0.17[500]
Mar 12 11:55:12 srvl047 charon: 02[NET] waiting for data on sockets
Mar 12 11:55:12 srvl047 charon: 04[NET] received packet: from 192.168.0.17[53195] to 10.0.0.17[500] (668 bytes)
Mar 12 11:55:12 srvl047 charon: 04[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Mar 12 11:55:12 srvl047 charon: 04[CFG] looking for an ike config for 10.0.0.17...192.168.0.17
Mar 12 11:55:12 srvl047 charon: 04[CFG] ike config match: 0 (10.0.0.17 192.168.0.17 IKEv1)
Mar 12 11:55:12 srvl047 charon: 04[CFG] ike config match: 0 (10.0.0.17 192.168.0.17 IKEv1)
Mar 12 11:55:12 srvl047 charon: 04[CFG] ike config match: 1052 (10.0.0.17 192.168.0.17 IKEv1)
Mar 12 11:55:12 srvl047 charon: 04[CFG]   candidate: gate1.example.com...%any, prio 1052
Mar 12 11:55:12 srvl047 charon: 04[CFG] ike config match: 1052 (10.0.0.17 192.168.0.17 IKEv1)
Mar 12 11:55:12 srvl047 charon: 04[CFG]   candidate: gate1.example.com...%any, prio 1052
Mar 12 11:55:12 srvl047 charon: 04[CFG] ike config match: 0 (10.0.0.17 192.168.0.17 IKEv1)
Mar 12 11:55:12 srvl047 charon: 04[CFG] found matching ike config: gate1.example.com...%any with prio 1052
Mar 12 11:55:12 srvl047 charon: 04[IKE] received NAT-T (RFC 3947) vendor ID
Mar 12 11:55:12 srvl047 charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Mar 12 11:55:12 srvl047 charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Mar 12 11:55:12 srvl047 charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Mar 12 11:55:12 srvl047 charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Mar 12 11:55:12 srvl047 charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Mar 12 11:55:12 srvl047 charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Mar 12 11:55:12 srvl047 charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 12 11:55:12 srvl047 charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Mar 12 11:55:12 srvl047 charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 12 11:55:12 srvl047 charon: 04[IKE] received XAuth vendor ID
Mar 12 11:55:12 srvl047 charon: 04[IKE] received Cisco Unity vendor ID
Mar 12 11:55:12 srvl047 charon: 04[IKE] received FRAGMENTATION vendor ID
Mar 12 11:55:12 srvl047 charon: 04[IKE] received DPD vendor ID
Mar 12 11:55:12 srvl047 charon: 04[IKE] 192.168.0.17 is initiating a Main Mode IKE_SA
Mar 12 11:55:12 srvl047 charon: 04[IKE] IKE_SA (unnamed)[178] state change: CREATED => CONNECTING
Mar 12 11:55:12 srvl047 charon: 04[CFG] selecting proposal:
Mar 12 11:55:12 srvl047 charon: 04[CFG]   proposal matches
Mar 12 11:55:12 srvl047 charon: 04[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Mar 12 11:55:12 srvl047 charon: 04[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Mar 12 11:55:12 srvl047 charon: 04[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Mar 12 11:55:12 srvl047 charon: 04[IKE] sending strongSwan vendor ID
Mar 12 11:55:12 srvl047 charon: 04[IKE] sending XAuth vendor ID
Mar 12 11:55:12 srvl047 charon: 04[IKE] sending DPD vendor ID
Mar 12 11:55:12 srvl047 charon: 04[IKE] sending NAT-T (RFC 3947) vendor ID
Mar 12 11:55:12 srvl047 charon: 04[ENC] generating ID_PROT response 0 [ SA V V V V ]
Mar 12 11:55:12 srvl047 charon: 04[NET] sending packet: from 10.0.0.17[500] to 192.168.0.17[53195] (156 bytes)
Mar 12 11:55:12 srvl047 charon: 03[NET] sending packet: from 10.0.0.17[500] to 192.168.0.17[53195]
Mar 12 11:55:12 srvl047 charon: 02[NET] received packet: from 192.168.0.17[53195] to 10.0.0.17[500]
Mar 12 11:55:12 srvl047 charon: 02[NET] waiting for data on sockets
Mar 12 11:55:12 srvl047 charon: 06[NET] received packet: from 192.168.0.17[53195] to 10.0.0.17[500] (292 bytes)
Mar 12 11:55:12 srvl047 charon: 06[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Mar 12 11:55:12 srvl047 charon: 06[IKE] natd_chunk => 22 bytes @ 0x7f3e912c4b70
Mar 12 11:55:12 srvl047 charon: 06[IKE]    0: 0C 6D E9 A3 61 46 3A 33 61 2F 07 6C D8 C7 0C D6  .m..aF:3a/.l....
Mar 12 11:55:12 srvl047 charon: 06[IKE]   16: 05 91 8E 11 01 F4                                ......
Mar 12 11:55:12 srvl047 charon: 06[IKE] natd_hash => 20 bytes @ 0x7f3e68008be0
Mar 12 11:55:12 srvl047 charon: 06[IKE]    0: 1E A0 6D 59 1E D3 0E 41 91 99 EA E9 96 8C 47 1E  ..mY...A......G.
Mar 12 11:55:12 srvl047 charon: 06[IKE]   16: E5 43 5D 49                                      .C]I
Mar 12 11:55:12 srvl047 charon: 06[IKE] natd_chunk => 22 bytes @ 0x7f3e912c4b70
Mar 12 11:55:12 srvl047 charon: 06[IKE]    0: 0C 6D E9 A3 61 46 3A 33 61 2F 07 6C D8 C7 0C D6  .m..aF:3a/.l....
Mar 12 11:55:12 srvl047 charon: 06[IKE]   16: D9 EB 92 11 CF CB                                ......
Mar 12 11:55:12 srvl047 charon: 06[IKE] natd_hash => 20 bytes @ 0x7f3e68008c00
Mar 12 11:55:12 srvl047 charon: 06[IKE]    0: 29 05 8F 04 03 7B F7 D1 B1 73 D9 86 2D 19 F4 06  )....{...s..-...
Mar 12 11:55:12 srvl047 charon: 06[IKE]   16: 62 F2 27 88                                      b.'.
Mar 12 11:55:12 srvl047 charon: 06[IKE] precalculated src_hash => 20 bytes @ 0x7f3e68008c00
Mar 12 11:55:12 srvl047 charon: 06[IKE]    0: 29 05 8F 04 03 7B F7 D1 B1 73 D9 86 2D 19 F4 06  )....{...s..-...
Mar 12 11:55:12 srvl047 charon: 06[IKE]   16: 62 F2 27 88                                      b.'.
Mar 12 11:55:12 srvl047 charon: 06[IKE] precalculated dst_hash => 20 bytes @ 0x7f3e68008be0
Mar 12 11:55:12 srvl047 charon: 06[IKE]    0: 1E A0 6D 59 1E D3 0E 41 91 99 EA E9 96 8C 47 1E  ..mY...A......G.
Mar 12 11:55:12 srvl047 charon: 06[IKE]   16: E5 43 5D 49                                      .C]I
Mar 12 11:55:12 srvl047 charon: 06[IKE] received dst_hash => 20 bytes @ 0x7f3e68006c80
Mar 12 11:55:12 srvl047 charon: 06[IKE]    0: 1E A0 6D 59 1E D3 0E 41 91 99 EA E9 96 8C 47 1E  ..mY...A......G.
Mar 12 11:55:12 srvl047 charon: 06[IKE]   16: E5 43 5D 49                                      .C]I
Mar 12 11:55:12 srvl047 charon: 06[IKE] received src_hash => 20 bytes @ 0x7f3e68002d40
Mar 12 11:55:12 srvl047 charon: 06[IKE]    0: E7 75 05 46 3D 2E 7C 5F 26 0E 8A 25 D1 DF 4B 10  .u.F=.|_&..%..K.
Mar 12 11:55:12 srvl047 charon: 06[IKE]   16: C4 D0 1D 65                                      ...e
Mar 12 11:55:12 srvl047 charon: 06[IKE] remote host is behind NAT
Mar 12 11:55:12 srvl047 charon: 06[IKE] sending cert request for "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA"
Mar 12 11:55:12 srvl047 charon: 06[IKE] sending cert request for "C=DE, ST=NRW, L=Aachen, O=example AG, OU=TI, CN=IPsec_ca, E=security at example.com"
Mar 12 11:55:12 srvl047 charon: 06[IKE] sending cert request for "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:55:12 srvl047 charon: 06[IKE] natd_chunk => 22 bytes @ 0x7f3e912c4b90
Mar 12 11:55:12 srvl047 charon: 06[IKE]    0: 0C 6D E9 A3 61 46 3A 33 61 2F 07 6C D8 C7 0C D6  .m..aF:3a/.l....
Mar 12 11:55:12 srvl047 charon: 06[IKE]   16: D9 EB 92 11 CF CB                                ......
Mar 12 11:55:12 srvl047 charon: 06[IKE] natd_hash => 20 bytes @ 0x7f3e68005530
Mar 12 11:55:12 srvl047 charon: 06[IKE]    0: 29 05 8F 04 03 7B F7 D1 B1 73 D9 86 2D 19 F4 06  )....{...s..-...
Mar 12 11:55:12 srvl047 charon: 06[IKE]   16: 62 F2 27 88                                      b.'.
Mar 12 11:55:12 srvl047 charon: 06[IKE] natd_chunk => 22 bytes @ 0x7f3e912c4b90
Mar 12 11:55:12 srvl047 charon: 06[IKE]    0: 0C 6D E9 A3 61 46 3A 33 61 2F 07 6C D8 C7 0C D6  .m..aF:3a/.l....
Mar 12 11:55:12 srvl047 charon: 06[IKE]   16: 05 91 8E 11 01 F4                                ......
Mar 12 11:55:12 srvl047 charon: 06[IKE] natd_hash => 20 bytes @ 0x7f3e680083f0
Mar 12 11:55:12 srvl047 charon: 06[IKE]    0: 1E A0 6D 59 1E D3 0E 41 91 99 EA E9 96 8C 47 1E  ..mY...A......G.
Mar 12 11:55:12 srvl047 charon: 06[IKE]   16: E5 43 5D 49                                      .C]I
Mar 12 11:55:12 srvl047 charon: 06[ENC] generating ID_PROT response 0 [ KE No CERTREQ CERTREQ CERTREQ NAT-D NAT-D ]
Mar 12 11:55:12 srvl047 charon: 06[NET] sending packet: from 10.0.0.17[500] to 192.168.0.17[53195] (653 bytes)
Mar 12 11:55:12 srvl047 charon: 03[NET] sending packet: from 10.0.0.17[500] to 192.168.0.17[53195]
Mar 12 11:55:12 srvl047 charon: 02[NET] received packet: from 192.168.0.17[60361] to 10.0.0.17[4500]
Mar 12 11:55:12 srvl047 charon: 02[NET] waiting for data on sockets
Mar 12 11:55:12 srvl047 charon: 26[NET] received packet: from 192.168.0.17[60361] to 10.0.0.17[4500] (2220 bytes)
Mar 12 11:55:12 srvl047 charon: 26[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ ]
Mar 12 11:55:12 srvl047 charon: 26[IKE] ignoring certificate request without data
Mar 12 11:55:12 srvl047 charon: 26[IKE] received end entity cert "C=DE, O=example AG, OU=TI, CN=ppcm018.ws.example.com"
Mar 12 11:55:12 srvl047 charon: 26[CFG] looking for XAuthInitRSA peer configs matching 10.0.0.17...192.168.0.17[C=DE, O=example AG, OU=TI, CN=ppcm018.ws.example.com]
Mar 12 11:55:12 srvl047 charon: 26[CFG] peer config match local: 1 (ID_ANY)
Mar 12 11:55:12 srvl047 charon: 26[CFG] peer config match remote: 1 (ID_DER_ASN1_DN -> 30:4d:31:0b:30:09:06:03:55:04:06:13:02:44:45:31:12:30:10:06:03:55:04:0a:13:09:61:69:78:69:67:6f:20:41:47:31:0b:30:09:06:03:55:04:0b:13:02:54:49:31:1d:30:1b:06:03:55:04:03:13:14:70:70:63:6d:30:31:38:2e:77:73:2e:61:69:78:69:67:6f:2e:64:65)
Mar 12 11:55:12 srvl047 charon: 26[CFG] ike config match: 0 (10.0.0.17 192.168.0.17 IKEv1)
Mar 12 11:55:12 srvl047 charon: 26[CFG] peer config match local: 1 (ID_ANY)
Mar 12 11:55:12 srvl047 charon: 26[CFG] peer config match remote: 1 (ID_DER_ASN1_DN -> 30:4d:31:0b:30:09:06:03:55:04:06:13:02:44:45:31:12:30:10:06:03:55:04:0a:13:09:61:69:78:69:67:6f:20:41:47:31:0b:30:09:06:03:55:04:0b:13:02:54:49:31:1d:30:1b:06:03:55:04:03:13:14:70:70:63:6d:30:31:38:2e:77:73:2e:61:69:78:69:67:6f:2e:64:65)
Mar 12 11:55:12 srvl047 charon: 26[CFG] ike config match: 0 (10.0.0.17 192.168.0.17 IKEv1)
Mar 12 11:55:12 srvl047 charon: 26[CFG] peer config match local: 1 (ID_ANY)
Mar 12 11:55:12 srvl047 charon: 26[CFG] peer config match remote: 1 (ID_DER_ASN1_DN -> 30:4d:31:0b:30:09:06:03:55:04:06:13:02:44:45:31:12:30:10:06:03:55:04:0a:13:09:61:69:78:69:67:6f:20:41:47:31:0b:30:09:06:03:55:04:0b:13:02:54:49:31:1d:30:1b:06:03:55:04:03:13:14:70:70:63:6d:30:31:38:2e:77:73:2e:61:69:78:69:67:6f:2e:64:65)
Mar 12 11:55:12 srvl047 charon: 26[CFG] ike config match: 1052 (10.0.0.17 192.168.0.17 IKEv1)
Mar 12 11:55:12 srvl047 charon: 26[CFG]   candidate "CiscoIPSec", match: 1/1/1052 (me/other/ike)
Mar 12 11:55:12 srvl047 charon: 26[CFG] peer config match local: 1 (ID_ANY)
Mar 12 11:55:12 srvl047 charon: 26[CFG] peer config match remote: 1 (ID_DER_ASN1_DN -> 30:4d:31:0b:30:09:06:03:55:04:06:13:02:44:45:31:12:30:10:06:03:55:04:0a:13:09:61:69:78:69:67:6f:20:41:47:31:0b:30:09:06:03:55:04:0b:13:02:54:49:31:1d:30:1b:06:03:55:04:03:13:14:70:70:63:6d:30:31:38:2e:77:73:2e:61:69:78:69:67:6f:2e:64:65)
Mar 12 11:55:12 srvl047 charon: 26[CFG] ike config match: 1052 (10.0.0.17 192.168.0.17 IKEv1)
Mar 12 11:55:12 srvl047 charon: 26[CFG]   candidate "CiscoIPSec-pam", match: 1/1/1052 (me/other/ike)
Mar 12 11:55:12 srvl047 charon: 26[CFG] peer config match local: 1 (ID_ANY)
Mar 12 11:55:12 srvl047 charon: 26[CFG] peer config match remote: 0 (ID_DER_ASN1_DN -> 30:4d:31:0b:30:09:06:03:55:04:06:13:02:44:45:31:12:30:10:06:03:55:04:0a:13:09:61:69:78:69:67:6f:20:41:47:31:0b:30:09:06:03:55:04:0b:13:02:54:49:31:1d:30:1b:06:03:55:04:03:13:14:70:70:63:6d:30:31:38:2e:77:73:2e:61:69:78:69:67:6f:2e:64:65)
Mar 12 11:55:12 srvl047 charon: 26[CFG] ike config match: 0 (10.0.0.17 192.168.0.17 IKEv1)
Mar 12 11:55:12 srvl047 charon: 26[CFG] selected peer config "CiscoIPSec"
Mar 12 11:55:12 srvl047 charon: 26[IKE] HASH_I data => 843 bytes @ 0x7f3e1c0044f0
Mar 12 11:55:12 srvl047 charon: 26[IKE]    0: 57 F0 D4 99 6A 6C 8D AB 7F 6F C5 30 49 B7 E5 ED  W...jl...o.0I...
Mar 12 11:55:12 srvl047 charon: 26[IKE]   16: 8D CC FF 56 93 A1 DE B9 49 D4 7E 83 A0 C2 4B 09  ...V....I.~...K.
:
:
Mar 12 11:55:12 srvl047 charon: 26[IKE]  816: 06 03 55 04 03 13 14 70 70 63 6D 30 31 38 2E 77  ..U....ppcm018.w
Mar 12 11:55:12 srvl047 charon: 26[IKE]  832: 73 2E 61 69 78 69 67 6F 2E 64 65                 s.example.com
Mar 12 11:55:12 srvl047 charon: 26[IKE] HASH_I => 20 bytes @ 0x7f3e1c00a4b0
Mar 12 11:55:12 srvl047 charon: 26[IKE]    0: 80 3C 34 4C DB 2A 29 15 32 EA 23 A4 3F 10 B7 1F  .<4L.*).2.#.?...
Mar 12 11:55:12 srvl047 charon: 26[IKE]   16: FC 8C E7 63                                      ...c
Mar 12 11:55:12 srvl047 charon: 26[CFG]   using certificate "C=DE, O=example AG, OU=TI, CN=ppcm018.ws.example.com"
Mar 12 11:55:12 srvl047 charon: 26[CFG]   certificate "C=DE, O=example AG, OU=TI, CN=ppcm018.ws.example.com" key: 2048 bit RSA
Mar 12 11:55:12 srvl047 charon: 26[CFG]   using trusted intermediate ca certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:55:12 srvl047 charon: 26[CFG] checking certificate status of "C=DE, O=example AG, OU=TI, CN=ppcm018.ws.example.com"
Mar 12 11:55:12 srvl047 charon: 26[CFG] ocsp check skipped, no ocsp found
Mar 12 11:55:12 srvl047 charon: 26[CFG]   certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA" key: 4096 bit RSA
Mar 12 11:55:12 srvl047 charon: 26[CFG]   using trusted ca certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA"
Mar 12 11:55:12 srvl047 charon: 26[CFG]   certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA" key: 4096 bit RSA
Mar 12 11:55:12 srvl047 charon: 26[CFG]   reached self-signed root ca with a path length of 0
Mar 12 11:55:12 srvl047 charon: 26[CFG]   using trusted certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:55:12 srvl047 charon: 26[CFG]   crl correctly signed by "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:55:12 srvl047 charon: 26[CFG]   crl is valid: until Mar 15 08:42:47 2016
Mar 12 11:55:12 srvl047 charon: 26[CFG]   using cached crl
Mar 12 11:55:12 srvl047 charon: 26[CFG]   certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA" key: 4096 bit RSA
Mar 12 11:55:12 srvl047 charon: 26[CFG]   using trusted ca certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA"
Mar 12 11:55:12 srvl047 charon: 26[CFG]   certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA" key: 4096 bit RSA
Mar 12 11:55:12 srvl047 charon: 26[CFG]   reached self-signed root ca with a path length of 0
Mar 12 11:55:12 srvl047 charon: 26[CFG]   using trusted certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:55:12 srvl047 charon: 26[CFG]   crl correctly signed by "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:55:12 srvl047 charon: 26[CFG]   crl is stale: since Mar 12 08:42:47 2016
Mar 12 11:55:12 srvl047 charon: 26[CFG]   certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA" key: 4096 bit RSA
Mar 12 11:55:12 srvl047 charon: 26[CFG]   using trusted ca certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA"
Mar 12 11:55:12 srvl047 charon: 26[CFG]   certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA" key: 4096 bit RSA
Mar 12 11:55:12 srvl047 charon: 26[CFG]   reached self-signed root ca with a path length of 0
Mar 12 11:55:12 srvl047 charon: 26[CFG]   using trusted certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:55:12 srvl047 charon: 26[CFG]   crl correctly signed by "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:55:12 srvl047 charon: 26[LIB]   crl #01:2d is newer - existing crl #01:2c replaced
Mar 12 11:55:12 srvl047 charon: 26[CFG]   crl is valid: until Mar 13 08:42:47 2016
Mar 12 11:55:12 srvl047 charon: 26[CFG]   using cached crl
Mar 12 11:55:12 srvl047 charon: 26[CFG] certificate status is good
Mar 12 11:55:12 srvl047 charon: 26[CFG]   certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA" key: 4096 bit RSA
Mar 12 11:55:12 srvl047 charon: 26[CFG]   using trusted ca certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA"
Mar 12 11:55:12 srvl047 charon: 26[CFG] checking certificate status of "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:55:12 srvl047 charon: 26[CFG] ocsp check skipped, no ocsp found
Mar 12 11:55:12 srvl047 charon: 26[CFG]   using trusted certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA"
Mar 12 11:55:12 srvl047 charon: 26[CFG]   crl correctly signed by "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA"
Mar 12 11:55:12 srvl047 charon: 26[CFG]   crl is valid: until Dec 20 11:33:09 2045
Mar 12 11:55:12 srvl047 charon: 26[CFG]   using cached crl
Mar 12 11:55:12 srvl047 charon: 26[CFG] certificate status is good
Mar 12 11:55:12 srvl047 charon: 26[CFG]   certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA" key: 4096 bit RSA
Mar 12 11:55:12 srvl047 charon: 26[CFG]   reached self-signed root ca with a path length of 1
Mar 12 11:55:12 srvl047 charon: 26[IKE] authentication of 'C=DE, O=example AG, OU=TI, CN=ppcm018.ws.example.com' with RSA successful
Mar 12 11:55:12 srvl047 charon: 26[IKE] HASH_R data => 783 bytes @ 0x7f3e1c008900
Mar 12 11:55:12 srvl047 charon: 26[IKE]    0: 59 45 B2 EF 4D FC 9A D2 7F CB E0 C1 45 5F 1A A2  YE..M.......E_..
Mar 12 11:55:12 srvl047 charon: 26[IKE]   16: D5 5E 18 CF BB 81 3D CF B3 F3 2A 92 48 6B D5 DC  .^....=...*.Hk..
:
:
Mar 12 11:55:12 srvl047 charon: 26[IKE]  736: 80 0B 00 01 80 0C 0E 10 80 01 00 01 80 03 FD ED  ................
Mar 12 11:55:12 srvl047 charon: 26[IKE]  752: 80 02 00 01 80 04 00 02 02 00 00 00 73 74 61 72  ............gate
Mar 12 11:55:12 srvl047 charon: 26[IKE]  768: 67 61 74 65 2E 61 69 78 69 67 6F 2E 63 6F 6D     1.example.com
Mar 12 11:55:12 srvl047 charon: 26[IKE] HASH_R => 20 bytes @ 0x7f3e1c0017f0
Mar 12 11:55:12 srvl047 charon: 26[IKE]    0: 44 B6 1F C4 82 22 F7 47 77 D2 4E 57 36 6D F0 59  D....".Gw.NW6m.Y
Mar 12 11:55:12 srvl047 charon: 26[IKE]   16: 18 BD E9 21                                      ...!
Mar 12 11:55:12 srvl047 charon: 26[IKE] authentication of 'gate1.example.com' (myself) successful
Mar 12 11:55:12 srvl047 charon: 26[IKE] queueing XAUTH task
Mar 12 11:55:12 srvl047 charon: 26[IKE] sending end entity cert "C=DE, ST=NRW, L=Aachen, O=example AG, CN=gate1.example.com/emailAddress=security at example.com"
Mar 12 11:55:12 srvl047 charon: 26[IKE] sending issuer cert "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA"
Mar 12 11:55:12 srvl047 charon: 26[ENC] generating ID_PROT response 0 [ ID CERT CERT SIG ]
Mar 12 11:55:12 srvl047 charon: 26[NET] sending packet: from 10.0.0.17[4500] to 192.168.0.17[60361] (3708 bytes)
Mar 12 11:55:12 srvl047 charon: 26[IKE] activating new tasks
Mar 12 11:55:12 srvl047 charon: 26[IKE]   activating XAUTH task
Mar 12 11:55:12 srvl047 charon: 03[NET] sending packet: from 10.0.0.17[4500] to 192.168.0.17[60361]
Mar 12 11:55:12 srvl047 charon: 26[IKE] Hash => 20 bytes @ 0x7f3e1c0069b0
Mar 12 11:55:12 srvl047 charon: 26[IKE]    0: 41 2B 58 8B BA C5 FD 1D B2 8F CC 78 F0 83 D9 39  A+X........x...9
Mar 12 11:55:12 srvl047 charon: 26[IKE]   16: 16 01 44 94                                      ..D.
Mar 12 11:55:12 srvl047 charon: 26[ENC] generating TRANSACTION request 34192379 [ HASH CPRQ(X_USER X_PWD) ]
Mar 12 11:55:12 srvl047 charon: 26[NET] sending packet: from 10.0.0.17[4500] to 192.168.0.17[60361] (76 bytes)
Mar 12 11:55:12 srvl047 charon: 03[NET] sending packet: from 10.0.0.17[4500] to 192.168.0.17[60361]
Mar 12 11:55:13 srvl047 charon: 02[NET] received packet: from 192.168.0.17[60361] to 10.0.0.17[4500]
Mar 12 11:55:13 srvl047 charon: 02[NET] waiting for data on sockets
Mar 12 11:55:13 srvl047 charon: 20[NET] received packet: from 192.168.0.17[60361] to 10.0.0.17[4500] (300 bytes)
Mar 12 11:55:13 srvl047 charon: 20[ENC] parsed QUICK_MODE request 3495102926 [ HASH SA No ID ID ]
Mar 12 11:55:13 srvl047 charon: 20[IKE] Hash(1) => 20 bytes @ 0x7f3e34010fb0
Mar 12 11:55:13 srvl047 charon: 20[IKE]    0: 49 7A 47 EE F1 2F B4 F7 D2 8A 1D BB DC 8B CC 9F  IzG../..........
Mar 12 11:55:13 srvl047 charon: 20[IKE]   16: C0 D9 32 69                                      ..2i
Mar 12 11:55:13 srvl047 charon: 20[IKE] received quick mode request for unestablished IKE_SA, ignored
Mar 12 11:55:13 srvl047 charon: 20[IKE] IKE_SA CiscoIPSec[178] state change: CONNECTING => DESTROYING
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160312/c007ce29/attachment-0001.pgp>


More information about the Users mailing list