[strongSwan] IKEv1 Phase 1 rekey deletes Phase 2 SA

Sean B sb3957312 at gmail.com
Tue Mar 9 18:06:47 CET 2021


Adding charon_debug.log:
Tue, 2021-03-09, %H:32:09 00[DMN] Starting IKE charon daemon (strongSwan
5.8.4, Linux 5.5.0-kali2-amd64, x86_64)
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'aesni': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'aes': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'rc2': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'sha2': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'sha1': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'md5': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'mgf1': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'random': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'nonce': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'x509': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'revocation': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'constraints': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pubkey': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pkcs1': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pkcs7': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pkcs8': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pkcs12': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pgp': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'dnskey': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'sshkey': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pem': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'openssl': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'fips-prf': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'gmp': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'agent': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'xcbc': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'hmac': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'gcm': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'drbg': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'attr': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'kernel-netlink': loaded
successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'resolve': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'socket-default': loaded
successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'connmark': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'stroke': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'updown': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'eap-mschapv2': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'xauth-generic': loaded
successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'counters': loaded successfully
Tue, 2021-03-09, %H:32:09 00[KNL] known interfaces and IP addresses:
Tue, 2021-03-09, %H:32:09 00[KNL]   lo
Tue, 2021-03-09, %H:32:09 00[KNL]     127.0.0.1
Tue, 2021-03-09, %H:32:09 00[KNL]     ::1
Tue, 2021-03-09, %H:32:09 00[KNL]   eth0
Tue, 2021-03-09, %H:32:09 00[KNL]     10.100.1.66
Tue, 2021-03-09, %H:32:09 00[KNL]     fe80::7ddb:e857:c734:34bf
Tue, 2021-03-09, %H:32:09 00[KNL]     fe80::435e:56e6:3941:5794
Tue, 2021-03-09, %H:32:09 00[KNL]     fe80::e8af:3339:4054:be35
Tue, 2021-03-09, %H:32:09 00[KNL]   eth1
Tue, 2021-03-09, %H:32:09 00[KNL]     192.19.22.10
Tue, 2021-03-09, %H:32:09 00[KNL]     fe80::4d93:72c5:862e:b87f
Tue, 2021-03-09, %H:32:09 00[KNL]   ciscogl
Tue, 2021-03-09, %H:32:09 00[KNL]     172.19.22.10
Tue, 2021-03-09, %H:32:09 00[KNL]     fe80::ac43:a10d:f6a4:d424
Tue, 2021-03-09, %H:32:09 00[KNL]   docker0
Tue, 2021-03-09, %H:32:09 00[KNL]     172.17.0.1
Tue, 2021-03-09, %H:32:09 00[LIB] feature PUBKEY:BLISS in plugin 'pem' has
unmet dependency: PUBKEY:BLISS
Tue, 2021-03-09, %H:32:09 00[LIB] feature PUBKEY:DSA in plugin 'pem' has
unmet dependency: PUBKEY:DSA
Tue, 2021-03-09, %H:32:09 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has
unmet dependency: PRIVKEY:DSA
Tue, 2021-03-09, %H:32:09 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has
unmet dependency: PRIVKEY:BLISS
Tue, 2021-03-09, %H:32:09 00[LIB] feature CERT_DECODE:OCSP_REQUEST in
plugin 'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST
Tue, 2021-03-09, %H:32:09 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Tue, 2021-03-09, %H:32:09 00[CFG]   loaded ca certificate "C=CA, CN=Root
CA, ST=ON, L=Ottawa, O=Lightship Security, OU=CC1903" from
'/etc/ipsec.d/cacerts/ca.cert.pem'
Tue, 2021-03-09, %H:32:09 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Tue, 2021-03-09, %H:32:09 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Tue, 2021-03-09, %H:32:09 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Tue, 2021-03-09, %H:32:09 00[CFG] loading crls from '/etc/ipsec.d/crls'
Tue, 2021-03-09, %H:32:09 00[CFG] loading secrets from '/etc/ipsec.secrets'
Tue, 2021-03-09, %H:32:09 00[CFG] expanding file expression
'/var/lib/strongswan/ipsec.secrets.inc' failed
Tue, 2021-03-09, %H:32:09 00[CFG]   loaded IKE secret for %any
Tue, 2021-03-09, %H:32:09 00[LIB] loaded plugins: charon aesni aes rc2 sha2
sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7
pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm
drbg attr kernel-netlink resolve socket-default connmark stroke updown
eap-mschapv2 xauth-generic counters
Tue, 2021-03-09, %H:32:09 00[LIB] unable to load 5 plugin features (5 due
to unmet dependencies)
Tue, 2021-03-09, %H:32:09 00[LIB] dropped capabilities, running as uid 0,
gid 0
Tue, 2021-03-09, %H:32:09 00[JOB] spawning 16 worker threads
Tue, 2021-03-09, %H:32:09 01[LIB] created thread 01 [25657]
Tue, 2021-03-09, %H:32:09 02[LIB] created thread 02 [25658]
Tue, 2021-03-09, %H:32:09 03[LIB] created thread 03 [25656]
Tue, 2021-03-09, %H:32:09 04[LIB] created thread 04 [25659]
Tue, 2021-03-09, %H:32:09 05[LIB] created thread 05 [25660]
Tue, 2021-03-09, %H:32:09 06[LIB] created thread 06 [25655]
Tue, 2021-03-09, %H:32:09 07[LIB] created thread 07 [25661]
Tue, 2021-03-09, %H:32:09 08[LIB] created thread 08 [25662]
Tue, 2021-03-09, %H:32:09 09[LIB] created thread 09 [25654]
Tue, 2021-03-09, %H:32:09 10[LIB] created thread 10 [25663]
Tue, 2021-03-09, %H:32:09 11[LIB] created thread 11 [25664]
Tue, 2021-03-09, %H:32:09 12[LIB] created thread 12 [25665]
Tue, 2021-03-09, %H:32:09 13[LIB] created thread 13 [25666]
Tue, 2021-03-09, %H:32:09 14[LIB] created thread 14 [25653]
Tue, 2021-03-09, %H:32:09 15[LIB] created thread 15 [25667]
Tue, 2021-03-09, %H:32:09 16[LIB] created thread 16 [25652]
Tue, 2021-03-09, %H:32:09 05[CFG] received stroke: add connection 'VPNPeer'
Tue, 2021-03-09, %H:32:09 05[CFG] conn VPNPeer
Tue, 2021-03-09, %H:32:09 05[CFG]   left=192.19.22.10
Tue, 2021-03-09, %H:32:09 05[CFG]   leftauth=psk
Tue, 2021-03-09, %H:32:09 05[CFG]   leftupdown=ipsec _updown iptables
Tue, 2021-03-09, %H:32:09 05[CFG]   right=192.19.22.1
Tue, 2021-03-09, %H:32:09 05[CFG]   rightauth=psk
Tue, 2021-03-09, %H:32:09 05[CFG]   ike=aes256-sha1-modp2048 !
Tue, 2021-03-09, %H:32:09 05[CFG]   esp=aes128-sha1-modp2048 !
Tue, 2021-03-09, %H:32:09 05[CFG]   dpddelay=30
Tue, 2021-03-09, %H:32:09 05[CFG]   dpdtimeout=150
Tue, 2021-03-09, %H:32:09 05[CFG]   sha256_96=no
Tue, 2021-03-09, %H:32:09 05[CFG]   mediation=no
Tue, 2021-03-09, %H:32:09 05[CFG]   keyexchange=ikev1
Tue, 2021-03-09, %H:32:09 05[KNL] 192.19.22.1 is not a local address or the
interface is down
Tue, 2021-03-09, %H:32:09 05[CFG] added configuration 'VPNPeer'
Tue, 2021-03-09, %H:32:17 07[NET] <1> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (244 bytes)
Tue, 2021-03-09, %H:32:17 07[ENC] <1> parsed ID_PROT request 0 [ SA V V V V
]
Tue, 2021-03-09, %H:32:17 07[CFG] <1> looking for an IKEv1 config for
192.19.22.10...192.19.22.1
Tue, 2021-03-09, %H:32:17 07[CFG] <1>   candidate:
192.19.22.10...192.19.22.1, prio 3100
Tue, 2021-03-09, %H:32:17 07[CFG] <1> found matching ike config:
192.19.22.10...192.19.22.1 with prio 3100
Tue, 2021-03-09, %H:32:17 07[IKE] <1> received NAT-T (RFC 3947) vendor ID
Tue, 2021-03-09, %H:32:17 07[IKE] <1> received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Tue, 2021-03-09, %H:32:17 07[IKE] <1> received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Tue, 2021-03-09, %H:32:17 07[IKE] <1> received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Tue, 2021-03-09, %H:32:17 07[IKE] <1> 192.19.22.1 is initiating a Main Mode
IKE_SA
Tue, 2021-03-09, %H:32:17 07[IKE] <1> IKE_SA (unnamed)[1] state change:
CREATED => CONNECTING
Tue, 2021-03-09, %H:32:17 07[CFG] <1> selecting proposal:
Tue, 2021-03-09, %H:32:17 07[CFG] <1>   proposal matches
Tue, 2021-03-09, %H:32:17 07[CFG] <1> received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Tue, 2021-03-09, %H:32:17 07[CFG] <1> configured proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Tue, 2021-03-09, %H:32:17 07[CFG] <1> selected proposal:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Tue, 2021-03-09, %H:32:17 07[IKE] <1> sending XAuth vendor ID
Tue, 2021-03-09, %H:32:17 07[IKE] <1> sending DPD vendor ID
Tue, 2021-03-09, %H:32:17 07[IKE] <1> sending NAT-T (RFC 3947) vendor ID
Tue, 2021-03-09, %H:32:17 07[ENC] <1> generating ID_PROT response 0 [ SA V
V V ]
Tue, 2021-03-09, %H:32:17 07[NET] <1> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (136 bytes)
Tue, 2021-03-09, %H:32:17 08[NET] <1> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (412 bytes)
Tue, 2021-03-09, %H:32:17 08[ENC] <1> parsed ID_PROT request 0 [ KE No V V
V NAT-D NAT-D ]
Tue, 2021-03-09, %H:32:17 08[IKE] <1> received DPD vendor ID
Tue, 2021-03-09, %H:32:17 08[ENC] <1> received unknown vendor ID:
10:f9:6f:0a:50:a5:1b:9c:da:5b:9b:ec:f8:f8:1e:3e
Tue, 2021-03-09, %H:32:17 08[IKE] <1> received XAuth vendor ID
Tue, 2021-03-09, %H:32:17 08[LIB] <1> size of DH secret exponent: 2047 bits
Tue, 2021-03-09, %H:32:17 08[CFG] <1>   candidate "VPNPeer", match:
1/1/3100 (me/other/ike)
Tue, 2021-03-09, %H:32:17 08[ENC] <1> generating ID_PROT response 0 [ KE No
NAT-D NAT-D ]
Tue, 2021-03-09, %H:32:17 08[NET] <1> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (372 bytes)
Tue, 2021-03-09, %H:32:17 09[NET] <1> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (108 bytes)
Tue, 2021-03-09, %H:32:17 09[ENC] <1> parsed ID_PROT request 0 [ ID HASH
N(INITIAL_CONTACT) ]
Tue, 2021-03-09, %H:32:17 09[CFG] <1> looking for pre-shared key peer
configs matching 192.19.22.10...192.19.22.1[192.19.22.1]
Tue, 2021-03-09, %H:32:17 09[CFG] <1>   candidate "VPNPeer", match:
1/20/3100 (me/other/ike)
Tue, 2021-03-09, %H:32:17 09[CFG] <1> selected peer config "VPNPeer"
Tue, 2021-03-09, %H:32:17 09[IKE] <VPNPeer|1> IKE_SA VPNPeer[1] established
between 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]
Tue, 2021-03-09, %H:32:17 09[IKE] <VPNPeer|1> IKE_SA VPNPeer[1] state
change: CONNECTING => ESTABLISHED
Tue, 2021-03-09, %H:32:17 09[IKE] <VPNPeer|1> scheduling reauthentication
in 86400s
Tue, 2021-03-09, %H:32:17 09[IKE] <VPNPeer|1> maximum IKE_SA lifetime 86400s
Tue, 2021-03-09, %H:32:17 09[ENC] <VPNPeer|1> generating ID_PROT response 0
[ ID HASH ]
Tue, 2021-03-09, %H:32:17 09[NET] <VPNPeer|1> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (76 bytes)
Tue, 2021-03-09, %H:32:17 11[NET] <VPNPeer|1> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (444 bytes)
Tue, 2021-03-09, %H:32:17 11[ENC] <VPNPeer|1> parsed QUICK_MODE request
256501508 [ HASH SA No KE ID ID ]
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> looking for a child config
for 192.19.22.10/32 === 192.19.22.1/32
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> proposing traffic selectors
for us:
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1>  192.19.22.10/32
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> proposing traffic selectors
for other:
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1>  192.19.22.1/32
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1>   candidate "VPNPeer" with
prio 5+5
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> found matching child config
"VPNPeer" with prio 10
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> selecting traffic selectors
for other:
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1>  config: 192.19.22.1/32,
received: 192.19.22.1/32 => match: 192.19.22.1/32
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> selecting traffic selectors
for us:
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1>  config: 192.19.22.10/32,
received: 192.19.22.10/32 => match: 192.19.22.10/32
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> selecting proposal:
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1>   proposal matches
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> received proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> selected proposal:
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
Tue, 2021-03-09, %H:32:17 11[IKE] <VPNPeer|1> received 1000000000
lifebytes, configured 0
Tue, 2021-03-09, %H:32:17 11[LIB] <VPNPeer|1> size of DH secret exponent:
2047 bits
Tue, 2021-03-09, %H:32:17 11[KNL] <VPNPeer|1> got SPI c8bf9eca
Tue, 2021-03-09, %H:32:17 11[ENC] <VPNPeer|1> generating QUICK_MODE
response 256501508 [ HASH SA No KE ID ID ]
Tue, 2021-03-09, %H:32:17 11[NET] <VPNPeer|1> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (444 bytes)
Tue, 2021-03-09, %H:32:17 12[NET] <VPNPeer|1> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (60 bytes)
Tue, 2021-03-09, %H:32:17 12[ENC] <VPNPeer|1> parsed QUICK_MODE request
256501508 [ HASH ]
Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1> CHILD_SA VPNPeer{1} state
change: CREATED => INSTALLING
Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1>   using AES_CBC for encryption
Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1>   using HMAC_SHA1_96 for
integrity
Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1> adding inbound ESP SA
Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1>   SPI 0xc8bf9eca, src
192.19.22.1 dst 192.19.22.10
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> adding SAD entry with SPI
c8bf9eca and reqid {1}
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1>   using encryption algorithm
AES_CBC with key size 128
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1>   using integrity algorithm
HMAC_SHA1_96 with key size 160
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1>   using replay window of 32
packets
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1>   HW offload: no
Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1> adding outbound ESP SA
Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1>   SPI 0x2d5a8f29, src
192.19.22.10 dst 192.19.22.1
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> adding SAD entry with SPI
2d5a8f29 and reqid {1}
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1>   using encryption algorithm
AES_CBC with key size 128
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1>   using integrity algorithm
HMAC_SHA1_96 with key size 160
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1>   using replay window of 0
packets
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1>   HW offload: no
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> adding policy 192.19.22.1/32
=== 192.19.22.10/32 in [priority 367231, refcount 1]
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> adding policy 192.19.22.1/32
=== 192.19.22.10/32 fwd [priority 367231, refcount 1]
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> adding policy 192.19.22.10/32
=== 192.19.22.1/32 out [priority 367231, refcount 1]
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> getting a local address in
traffic selector 192.19.22.10/32
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using host 192.19.22.10
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> getting iface name for index 3
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using 192.19.22.1 as nexthop
and eth1 as dev to reach 192.19.22.1/32
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> installing route:
192.19.22.1/32 via 192.19.22.1 src 192.19.22.10 dev eth1
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> getting iface index for eth1
Tue, 2021-03-09, %H:32:17 12[IKE] <VPNPeer|1> CHILD_SA VPNPeer{1}
established with SPIs c8bf9eca_i 2d5a8f29_o and TS 192.19.22.10/32 ===
192.19.22.1/32
Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1> CHILD_SA VPNPeer{1} state
change: INSTALLING => INSTALLED
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> getting iface name for index 3
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using 192.19.22.1 as nexthop
and eth1 as dev to reach 192.19.22.1/32
Tue, 2021-03-09, %H:32:28 15[KNL] <VPNPeer|1> querying SAD entry with SPI
c8bf9eca
Tue, 2021-03-09, %H:32:28 15[KNL] <VPNPeer|1> querying policy 192.19.22.1/32
=== 192.19.22.10/32 in
Tue, 2021-03-09, %H:32:28 15[KNL] <VPNPeer|1> querying policy 192.19.22.1/32
=== 192.19.22.10/32 fwd
Tue, 2021-03-09, %H:32:28 15[KNL] <VPNPeer|1> querying SAD entry with SPI
2d5a8f29
Tue, 2021-03-09, %H:32:28 15[KNL] <VPNPeer|1> querying policy
192.19.22.10/32 === 192.19.22.1/32 out
Tue, 2021-03-09, %H:37:17 05[NET] <VPNPeer|1> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (92 bytes)
Tue, 2021-03-09, %H:37:17 05[ENC] <VPNPeer|1> parsed INFORMATIONAL_V1
request 3632002282 [ HASH N(DPD) ]
Tue, 2021-03-09, %H:37:17 05[IKE] <VPNPeer|1> queueing ISAKMP_DPD task
Tue, 2021-03-09, %H:37:17 05[IKE] <VPNPeer|1> activating new tasks
Tue, 2021-03-09, %H:37:17 05[IKE] <VPNPeer|1>   activating ISAKMP_DPD task
Tue, 2021-03-09, %H:37:17 05[ENC] <VPNPeer|1> generating INFORMATIONAL_V1
request 840089277 [ HASH N(DPD_ACK) ]
Tue, 2021-03-09, %H:37:17 05[NET] <VPNPeer|1> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (92 bytes)
Tue, 2021-03-09, %H:37:17 05[IKE] <VPNPeer|1> activating new tasks
Tue, 2021-03-09, %H:37:17 05[IKE] <VPNPeer|1> nothing to initiate
Tue, 2021-03-09, %H:38:37 07[NET] <VPNPeer|1> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (92 bytes)
Tue, 2021-03-09, %H:38:37 07[ENC] <VPNPeer|1> parsed INFORMATIONAL_V1
request 2900110358 [ HASH D ]
Tue, 2021-03-09, %H:38:37 07[IKE] <VPNPeer|1> received DELETE for IKE_SA
VPNPeer[1]
Tue, 2021-03-09, %H:38:37 07[IKE] <VPNPeer|1> deleting IKE_SA VPNPeer[1]
between 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]
Tue, 2021-03-09, %H:38:37 07[IKE] <VPNPeer|1> IKE_SA VPNPeer[1] state
change: ESTABLISHED => DELETING
Tue, 2021-03-09, %H:38:37 07[IKE] <VPNPeer|1> IKE_SA VPNPeer[1] state
change: DELETING => DELETING
Tue, 2021-03-09, %H:38:37 08[NET] <2> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (244 bytes)
Tue, 2021-03-09, %H:38:37 07[IKE] <VPNPeer|1> IKE_SA VPNPeer[1] state
change: DELETING => DESTROYING
Tue, 2021-03-09, %H:38:37 07[CHD] <VPNPeer|1> CHILD_SA VPNPeer{1} state
change: INSTALLED => DESTROYING
Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleting policy
192.19.22.10/32 === 192.19.22.1/32 out
Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleting policy 192.19.22.1/32
=== 192.19.22.10/32 in
Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleting policy 192.19.22.1/32
=== 192.19.22.10/32 fwd
Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleting SAD entry with SPI
c8bf9eca
Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleted SAD entry with SPI
c8bf9eca
Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleting SAD entry with SPI
2d5a8f29
Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleted SAD entry with SPI
2d5a8f29
Tue, 2021-03-09, %H:38:37 08[ENC] <2> parsed ID_PROT request 0 [ SA V V V V
]
Tue, 2021-03-09, %H:38:37 08[CFG] <2> looking for an IKEv1 config for
192.19.22.10...192.19.22.1
Tue, 2021-03-09, %H:38:37 08[CFG] <2>   candidate:
192.19.22.10...192.19.22.1, prio 3100
Tue, 2021-03-09, %H:38:37 08[CFG] <2> found matching ike config:
192.19.22.10...192.19.22.1 with prio 3100
Tue, 2021-03-09, %H:38:37 08[IKE] <2> received NAT-T (RFC 3947) vendor ID
Tue, 2021-03-09, %H:38:37 08[IKE] <2> received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Tue, 2021-03-09, %H:38:37 08[IKE] <2> received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Tue, 2021-03-09, %H:38:37 08[IKE] <2> received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Tue, 2021-03-09, %H:38:37 08[IKE] <2> 192.19.22.1 is initiating a Main Mode
IKE_SA
Tue, 2021-03-09, %H:38:37 08[IKE] <2> IKE_SA (unnamed)[2] state change:
CREATED => CONNECTING
Tue, 2021-03-09, %H:38:37 08[CFG] <2> selecting proposal:
Tue, 2021-03-09, %H:38:37 08[CFG] <2>   proposal matches
Tue, 2021-03-09, %H:38:37 08[CFG] <2> received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Tue, 2021-03-09, %H:38:37 08[CFG] <2> configured proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Tue, 2021-03-09, %H:38:37 08[CFG] <2> selected proposal:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Tue, 2021-03-09, %H:38:37 08[IKE] <2> sending XAuth vendor ID
Tue, 2021-03-09, %H:38:37 08[IKE] <2> sending DPD vendor ID
Tue, 2021-03-09, %H:38:37 08[IKE] <2> sending NAT-T (RFC 3947) vendor ID
Tue, 2021-03-09, %H:38:37 08[ENC] <2> generating ID_PROT response 0 [ SA V
V V ]
Tue, 2021-03-09, %H:38:37 08[NET] <2> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (136 bytes)
Tue, 2021-03-09, %H:38:37 09[NET] <2> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (412 bytes)
Tue, 2021-03-09, %H:38:37 09[ENC] <2> parsed ID_PROT request 0 [ KE No V V
V NAT-D NAT-D ]
Tue, 2021-03-09, %H:38:37 09[IKE] <2> received DPD vendor ID
Tue, 2021-03-09, %H:38:37 09[ENC] <2> received unknown vendor ID:
10:f9:6f:0a:02:d3:cc:91:9c:61:7d:60:6f:41:1f:c8
Tue, 2021-03-09, %H:38:37 09[IKE] <2> received XAuth vendor ID
Tue, 2021-03-09, %H:38:37 09[LIB] <2> size of DH secret exponent: 2047 bits
Tue, 2021-03-09, %H:38:37 09[CFG] <2>   candidate "VPNPeer", match:
1/1/3100 (me/other/ike)
Tue, 2021-03-09, %H:38:37 09[ENC] <2> generating ID_PROT response 0 [ KE No
NAT-D NAT-D ]
Tue, 2021-03-09, %H:38:37 09[NET] <2> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (372 bytes)
Tue, 2021-03-09, %H:38:37 11[NET] <2> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (76 bytes)
Tue, 2021-03-09, %H:38:37 11[ENC] <2> parsed ID_PROT request 0 [ ID HASH ]
Tue, 2021-03-09, %H:38:37 11[CFG] <2> looking for pre-shared key peer
configs matching 192.19.22.10...192.19.22.1[192.19.22.1]
Tue, 2021-03-09, %H:38:37 11[CFG] <2>   candidate "VPNPeer", match:
1/20/3100 (me/other/ike)
Tue, 2021-03-09, %H:38:37 11[CFG] <2> selected peer config "VPNPeer"
Tue, 2021-03-09, %H:38:37 11[IKE] <VPNPeer|2> IKE_SA VPNPeer[2] established
between 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]
Tue, 2021-03-09, %H:38:37 11[IKE] <VPNPeer|2> IKE_SA VPNPeer[2] state
change: CONNECTING => ESTABLISHED
Tue, 2021-03-09, %H:38:37 11[IKE] <VPNPeer|2> scheduling reauthentication
in 86400s
Tue, 2021-03-09, %H:38:37 11[IKE] <VPNPeer|2> maximum IKE_SA lifetime 86400s
Tue, 2021-03-09, %H:38:37 11[ENC] <VPNPeer|2> generating ID_PROT response 0
[ ID HASH ]
Tue, 2021-03-09, %H:38:37 11[NET] <VPNPeer|2> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (76 bytes)
Tue, 2021-03-09, %H:39:15 15[CFG] received stroke: terminate 'VPNPeer'
Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2> queueing ISAKMP_DELETE task
Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2> activating new tasks
Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2>   activating ISAKMP_DELETE
task
Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2> deleting IKE_SA VPNPeer[2]
between 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]
Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2> sending DELETE for IKE_SA
VPNPeer[2]
Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2> IKE_SA VPNPeer[2] state
change: ESTABLISHED => DELETING
Tue, 2021-03-09, %H:39:15 05[ENC] <VPNPeer|2> generating INFORMATIONAL_V1
request 1114736905 [ HASH D ]
Tue, 2021-03-09, %H:39:15 05[NET] <VPNPeer|2> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (92 bytes)
Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2> IKE_SA VPNPeer[2] state
change: DELETING => DESTROYING
Tue, 2021-03-09, %H:39:15 07[NET] <3> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (244 bytes)
Tue, 2021-03-09, %H:39:15 07[ENC] <3> parsed ID_PROT request 0 [ SA V V V V
]
Tue, 2021-03-09, %H:39:15 07[CFG] <3> looking for an IKEv1 config for
192.19.22.10...192.19.22.1
Tue, 2021-03-09, %H:39:15 07[CFG] <3>   candidate:
192.19.22.10...192.19.22.1, prio 3100
Tue, 2021-03-09, %H:39:15 07[CFG] <3> found matching ike config:
192.19.22.10...192.19.22.1 with prio 3100
Tue, 2021-03-09, %H:39:15 07[IKE] <3> received NAT-T (RFC 3947) vendor ID
Tue, 2021-03-09, %H:39:15 07[IKE] <3> received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Tue, 2021-03-09, %H:39:15 07[IKE] <3> received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Tue, 2021-03-09, %H:39:15 07[IKE] <3> received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Tue, 2021-03-09, %H:39:15 07[IKE] <3> 192.19.22.1 is initiating a Main Mode
IKE_SA
Tue, 2021-03-09, %H:39:15 07[IKE] <3> IKE_SA (unnamed)[3] state change:
CREATED => CONNECTING
Tue, 2021-03-09, %H:39:15 07[CFG] <3> selecting proposal:
Tue, 2021-03-09, %H:39:15 07[CFG] <3>   proposal matches
Tue, 2021-03-09, %H:39:15 07[CFG] <3> received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Tue, 2021-03-09, %H:39:15 07[CFG] <3> configured proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Tue, 2021-03-09, %H:39:15 07[CFG] <3> selected proposal:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Tue, 2021-03-09, %H:39:15 07[IKE] <3> sending XAuth vendor ID
Tue, 2021-03-09, %H:39:15 07[IKE] <3> sending DPD vendor ID
Tue, 2021-03-09, %H:39:15 07[IKE] <3> sending NAT-T (RFC 3947) vendor ID
Tue, 2021-03-09, %H:39:15 07[ENC] <3> generating ID_PROT response 0 [ SA V
V V ]
Tue, 2021-03-09, %H:39:15 07[NET] <3> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (136 bytes)
Tue, 2021-03-09, %H:39:15 08[NET] <3> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (412 bytes)
Tue, 2021-03-09, %H:39:15 08[ENC] <3> parsed ID_PROT request 0 [ KE No V V
V NAT-D NAT-D ]
Tue, 2021-03-09, %H:39:15 08[IKE] <3> received DPD vendor ID
Tue, 2021-03-09, %H:39:15 08[ENC] <3> received unknown vendor ID:
10:f9:6f:0a:d5:5e:d6:1c:e6:59:75:2b:e7:46:d2:a4
Tue, 2021-03-09, %H:39:15 08[IKE] <3> received XAuth vendor ID
Tue, 2021-03-09, %H:39:15 08[LIB] <3> size of DH secret exponent: 2047 bits
Tue, 2021-03-09, %H:39:15 08[CFG] <3>   candidate "VPNPeer", match:
1/1/3100 (me/other/ike)
Tue, 2021-03-09, %H:39:15 08[ENC] <3> generating ID_PROT response 0 [ KE No
NAT-D NAT-D ]
Tue, 2021-03-09, %H:39:15 08[NET] <3> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (372 bytes)
Tue, 2021-03-09, %H:39:15 09[NET] <3> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (76 bytes)
Tue, 2021-03-09, %H:39:15 09[ENC] <3> parsed ID_PROT request 0 [ ID HASH ]
Tue, 2021-03-09, %H:39:15 09[CFG] <3> looking for pre-shared key peer
configs matching 192.19.22.10...192.19.22.1[192.19.22.1]
Tue, 2021-03-09, %H:39:15 09[CFG] <3>   candidate "VPNPeer", match:
1/20/3100 (me/other/ike)
Tue, 2021-03-09, %H:39:15 09[CFG] <3> selected peer config "VPNPeer"
Tue, 2021-03-09, %H:39:15 09[IKE] <VPNPeer|3> IKE_SA VPNPeer[3] established
between 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]
Tue, 2021-03-09, %H:39:15 09[IKE] <VPNPeer|3> IKE_SA VPNPeer[3] state
change: CONNECTING => ESTABLISHED
Tue, 2021-03-09, %H:39:15 09[IKE] <VPNPeer|3> scheduling reauthentication
in 86400s
Tue, 2021-03-09, %H:39:15 09[IKE] <VPNPeer|3> maximum IKE_SA lifetime 86400s
Tue, 2021-03-09, %H:39:15 09[ENC] <VPNPeer|3> generating ID_PROT response 0
[ ID HASH ]
Tue, 2021-03-09, %H:39:15 09[NET] <VPNPeer|3> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (76 bytes)
Tue, 2021-03-09, %H:39:17 00[DMN] signal of type SIGINT received. Shutting
down
Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3> queueing ISAKMP_DELETE task
Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3> activating new tasks
Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3>   activating ISAKMP_DELETE
task
Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3> deleting IKE_SA VPNPeer[3]
between 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]
Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3> sending DELETE for IKE_SA
VPNPeer[3]
Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3> IKE_SA VPNPeer[3] state
change: ESTABLISHED => DELETING
Tue, 2021-03-09, %H:39:17 00[ENC] <VPNPeer|3> generating INFORMATIONAL_V1
request 590983238 [ HASH D ]
Tue, 2021-03-09, %H:39:17 00[NET] <VPNPeer|3> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (92 bytes)
Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3> IKE_SA VPNPeer[3] state
change: DELETING => DESTROYING


>
> Message: 1
> Date: Tue, 9 Mar 2021 11:50:44 -0500
> From: Sean B <sb3957312 at gmail.com>
> To: users at lists.strongswan.org
> Subject: [strongSwan] IKEv1 Phase 1 rekey deletes Phase 2 SAs
> Message-ID:
>         <CA+c0=
> jf_1QpkV9HTx_QLNyDoHSsFq2eWkN7SDwMEfVSciTEVrg at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Strongswan-users,
>
> I have a set up that requires IKEv1 and I'm running into a problem when the
> IKEv1 Phase 1 (IKE SA) rekeys.  Phase 1 appears to rekey correctly, but
> deletes the Phase 2 SAs.
> Based on the following website, IPsec SAs are supposed to be adopted by the
> new IKE SA and not recreated:
> https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
> *"IKEv1* SAs are also rekeyed/reauthenticated using a make-before-break
> scheme, however, only the IKE SA is affected. IPsec SAs are adopted by the
> new IKE SA and not recreated."
>
> In this setup the Strongswan (192.19.22.10) is configured as the Responder
> and a Cisco IOS (192.19.22.1) device as the Initiator.
> The initial connection is established, and the traffic is sent ESP
> encapsulated.  The initiator attempts to rekey the IKE SA, and appears to
> succeed.
> Both the Initiator and the Responder are shown with the new IKE SA SPIs,
> but during the IKE SA rekey Strongswan deletes the SAD entries for the
> IPsec SAs.
>
> Can someone please assist with troubleshooting this issue?
> I am unable to determine if this is due to a configuration with the
> connections in ipsec.conf, a setting in charon.conf, or if this is an issue
> with how Cisco IOS attempts to rekey IKE SAs.
> Cisco appears to be sending a DELETE message as per
> https://tools.ietf.org/html/draft-jenkins-ipsec-rekeying-06#section-3.2.
>
> I've included the 'ipsec statusall' outputs, ipsec.conf, and
> charon_debug.log
> (I've added charon_debug.log as an attachment, would it have been better to
> copy and paste into the body of the email?)
> #####
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
> config setup
>     # strictcrlpolicy=yes
>     # uniqueids = no
>
> # Add connections here.
> conn VPNPeer
>         leftfirewall=yes
>         keyexchange=ikev1
>
>         # Phase 1 settings
>         ikelifetime=24h
>         margintime=0
>         rekeyfuzz=0%
>         lifetime=8h
>         ike=aes256-sha1-modp2048 !
>
>         # Phase 2
>         esp=aes128-sha1-modp2048 !
>
>         left=192.19.22.10
>         right=192.19.22.1
>
>         authby=psk
>
>         type=tunnel
>
>         auto=add
>
>         # Rekeying
>         #rekey=no
>
> include /var/lib/strongswan/ipsec.conf.inc
>
>
> #####
> Here are the results from 'ipsec statusall':
> Initial connection:
> #ipsec statusall
>
> Status of IKE charon daemon (weakSwan 5.8.4, Linux 5.5.0-kali2-amd64,
> x86_64):
>   uptime: 20 seconds, since Mar 09 13:32:08 2021
>   malloc: sbrk 1622016, mmap 0, used 610688, free 1011328
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 3
>   loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
> pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink
> resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
> counters
>
> Listening IP addresses:
>   192.19.22.10
>   172.19.22.10
>   172.17.0.1
> Connections:
>      VPNPeer:  192.19.22.10...192.19.22.1  IKEv1
>      VPNPeer:   local:  [192.19.22.10] uses pre-shared key authentication
>      VPNPeer:   remote: [192.19.22.1] uses pre-shared key authentication
>      VPNPeer:   child:  dynamic === dynamic TUNNEL
>
> Security Associations (1 up, 0 connecting):
>      VPNPeer[1]: ESTABLISHED 11 seconds ago,
> 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]
>      VPNPeer[1]: IKEv1 SPIs: e53ec81750a41b9c_i 84f72669eb1b150b_r*,
> pre-shared key reauthentication in 23 hours
>      VPNPeer[1]: IKE proposal:
> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>      VPNPeer{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c8bf9eca_i
> 2d5a8f29_o
>      VPNPeer{1}:  AES_CBC_128/HMAC_SHA1_96/MODP_2048, 400 bytes_i (4 pkts,
> 9s ago), 400 bytes_o (4 pkts, 9s ago), rekeying in 7 hours
>      VPNPeer{1}:   192.19.22.10/32 === 192.19.22.1/32
>
>
>
> After IKE Phase 1 rekey:
> #ipsec statusall
>
> Status of IKE charon daemon (weakSwan 5.8.4, Linux 5.5.0-kali2-amd64,
> x86_64):
>   uptime: 6 minutes, since Mar 09 13:32:08 2021
>   malloc: sbrk 1622016, mmap 0, used 640656, free 981360
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 5
>   loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
> pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink
> resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
> counters
>
> Listening IP addresses:
>   192.19.22.10
>   172.19.22.10
>   172.17.0.1
> Connections:
>      VPNPeer:  192.19.22.10...192.19.22.1  IKEv1
>      VPNPeer:   local:  [192.19.22.10] uses pre-shared key authentication
>      VPNPeer:   remote: [192.19.22.1] uses pre-shared key authentication
>      VPNPeer:   child:  dynamic === dynamic TUNNEL
>
> Security Associations (1 up, 0 connecting):
>      VPNPeer[2]: ESTABLISHED 9 seconds ago,
> 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]
>      VPNPeer[2]: IKEv1 SPIs: e53ec81702d2cc91_i 47da289647a60462_r*,
> pre-shared key reauthentication in 23 hours
>      VPNPeer[2]: IKE proposal:
> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>
> #####
> # charon_debug.log - attached.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.strongswan.org/pipermail/users/attachments/20210309/4c35ad50/attachment.html
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: charon_debug.log
> Type: application/octet-stream
> Size: 28985 bytes
> Desc: not available
> URL: <
> http://lists.strongswan.org/pipermail/users/attachments/20210309/4c35ad50/attachment.obj
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210309/0ace289c/attachment-0001.html>


More information about the Users mailing list