[strongSwan] How to force Ikev2 client to use their local internet for browsing instead of remote server
Rizwan Saleem
malik.chand at hotmail.com
Tue Mar 30 11:37:42 CEST 2021
Hello
We force Ikev2 client to use their local internet for browsing instead of remote server
i have configured Strongswan 5.9 on Centos8. here is below routing.
default via 172.31.32.1 dev eth0 proto dhcp metric 100
172.31.32.0/20 dev eth0 proto kernel scope link src 172.31.42.77 metric 100
________________________________
From: Users <users-bounces at lists.strongswan.org> on behalf of users-request at lists.strongswan.org <users-request at lists.strongswan.org>
Sent: Tuesday, March 9, 2021 8:07 PM
To: users at lists.strongswan.org <users at lists.strongswan.org>
Subject: Users Digest, Vol 134, Issue 7
Send Users mailing list submissions to
users at lists.strongswan.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.strongswan.org/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
users-request at lists.strongswan.org
You can reach the person managing the list at
users-owner at lists.strongswan.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Users digest..."
Today's Topics:
1. Re: IKEv1 Phase 1 rekey deletes Phase 2 SA (Sean B)
----------------------------------------------------------------------
Message: 1
Date: Tue, 9 Mar 2021 12:06:47 -0500
From: Sean B <sb3957312 at gmail.com>
To: users at lists.strongswan.org
Subject: Re: [strongSwan] IKEv1 Phase 1 rekey deletes Phase 2 SA
Message-ID:
<CA+c0=jfcwW4BW=vY0O87bLpWJzSeQez5HbLySkZi7_6U-6D4Nw at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Adding charon_debug.log:
Tue, 2021-03-09, %H:32:09 00[DMN] Starting IKE charon daemon (strongSwan
5.8.4, Linux 5.5.0-kali2-amd64, x86_64)
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'aesni': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'aes': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'rc2': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'sha2': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'sha1': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'md5': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'mgf1': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'random': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'nonce': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'x509': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'revocation': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'constraints': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pubkey': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pkcs1': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pkcs7': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pkcs8': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pkcs12': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pgp': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'dnskey': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'sshkey': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'pem': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'openssl': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'fips-prf': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'gmp': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'agent': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'xcbc': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'hmac': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'gcm': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'drbg': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'attr': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'kernel-netlink': loaded
successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'resolve': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'socket-default': loaded
successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'connmark': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'stroke': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'updown': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'eap-mschapv2': loaded successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'xauth-generic': loaded
successfully
Tue, 2021-03-09, %H:32:09 00[LIB] plugin 'counters': loaded successfully
Tue, 2021-03-09, %H:32:09 00[KNL] known interfaces and IP addresses:
Tue, 2021-03-09, %H:32:09 00[KNL] lo
Tue, 2021-03-09, %H:32:09 00[KNL] 127.0.0.1
Tue, 2021-03-09, %H:32:09 00[KNL] ::1
Tue, 2021-03-09, %H:32:09 00[KNL] eth0
Tue, 2021-03-09, %H:32:09 00[KNL] 10.100.1.66
Tue, 2021-03-09, %H:32:09 00[KNL] fe80::7ddb:e857:c734:34bf
Tue, 2021-03-09, %H:32:09 00[KNL] fe80::435e:56e6:3941:5794
Tue, 2021-03-09, %H:32:09 00[KNL] fe80::e8af:3339:4054:be35
Tue, 2021-03-09, %H:32:09 00[KNL] eth1
Tue, 2021-03-09, %H:32:09 00[KNL] 192.19.22.10
Tue, 2021-03-09, %H:32:09 00[KNL] fe80::4d93:72c5:862e:b87f
Tue, 2021-03-09, %H:32:09 00[KNL] ciscogl
Tue, 2021-03-09, %H:32:09 00[KNL] 172.19.22.10
Tue, 2021-03-09, %H:32:09 00[KNL] fe80::ac43:a10d:f6a4:d424
Tue, 2021-03-09, %H:32:09 00[KNL] docker0
Tue, 2021-03-09, %H:32:09 00[KNL] 172.17.0.1
Tue, 2021-03-09, %H:32:09 00[LIB] feature PUBKEY:BLISS in plugin 'pem' has
unmet dependency: PUBKEY:BLISS
Tue, 2021-03-09, %H:32:09 00[LIB] feature PUBKEY:DSA in plugin 'pem' has
unmet dependency: PUBKEY:DSA
Tue, 2021-03-09, %H:32:09 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has
unmet dependency: PRIVKEY:DSA
Tue, 2021-03-09, %H:32:09 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has
unmet dependency: PRIVKEY:BLISS
Tue, 2021-03-09, %H:32:09 00[LIB] feature CERT_DECODE:OCSP_REQUEST in
plugin 'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST
Tue, 2021-03-09, %H:32:09 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Tue, 2021-03-09, %H:32:09 00[CFG] loaded ca certificate "C=CA, CN=Root
CA, ST=ON, L=Ottawa, O=Lightship Security, OU=CC1903" from
'/etc/ipsec.d/cacerts/ca.cert.pem'
Tue, 2021-03-09, %H:32:09 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Tue, 2021-03-09, %H:32:09 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Tue, 2021-03-09, %H:32:09 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Tue, 2021-03-09, %H:32:09 00[CFG] loading crls from '/etc/ipsec.d/crls'
Tue, 2021-03-09, %H:32:09 00[CFG] loading secrets from '/etc/ipsec.secrets'
Tue, 2021-03-09, %H:32:09 00[CFG] expanding file expression
'/var/lib/strongswan/ipsec.secrets.inc' failed
Tue, 2021-03-09, %H:32:09 00[CFG] loaded IKE secret for %any
Tue, 2021-03-09, %H:32:09 00[LIB] loaded plugins: charon aesni aes rc2 sha2
sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7
pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm
drbg attr kernel-netlink resolve socket-default connmark stroke updown
eap-mschapv2 xauth-generic counters
Tue, 2021-03-09, %H:32:09 00[LIB] unable to load 5 plugin features (5 due
to unmet dependencies)
Tue, 2021-03-09, %H:32:09 00[LIB] dropped capabilities, running as uid 0,
gid 0
Tue, 2021-03-09, %H:32:09 00[JOB] spawning 16 worker threads
Tue, 2021-03-09, %H:32:09 01[LIB] created thread 01 [25657]
Tue, 2021-03-09, %H:32:09 02[LIB] created thread 02 [25658]
Tue, 2021-03-09, %H:32:09 03[LIB] created thread 03 [25656]
Tue, 2021-03-09, %H:32:09 04[LIB] created thread 04 [25659]
Tue, 2021-03-09, %H:32:09 05[LIB] created thread 05 [25660]
Tue, 2021-03-09, %H:32:09 06[LIB] created thread 06 [25655]
Tue, 2021-03-09, %H:32:09 07[LIB] created thread 07 [25661]
Tue, 2021-03-09, %H:32:09 08[LIB] created thread 08 [25662]
Tue, 2021-03-09, %H:32:09 09[LIB] created thread 09 [25654]
Tue, 2021-03-09, %H:32:09 10[LIB] created thread 10 [25663]
Tue, 2021-03-09, %H:32:09 11[LIB] created thread 11 [25664]
Tue, 2021-03-09, %H:32:09 12[LIB] created thread 12 [25665]
Tue, 2021-03-09, %H:32:09 13[LIB] created thread 13 [25666]
Tue, 2021-03-09, %H:32:09 14[LIB] created thread 14 [25653]
Tue, 2021-03-09, %H:32:09 15[LIB] created thread 15 [25667]
Tue, 2021-03-09, %H:32:09 16[LIB] created thread 16 [25652]
Tue, 2021-03-09, %H:32:09 05[CFG] received stroke: add connection 'VPNPeer'
Tue, 2021-03-09, %H:32:09 05[CFG] conn VPNPeer
Tue, 2021-03-09, %H:32:09 05[CFG] left=192.19.22.10
Tue, 2021-03-09, %H:32:09 05[CFG] leftauth=psk
Tue, 2021-03-09, %H:32:09 05[CFG] leftupdown=ipsec _updown iptables
Tue, 2021-03-09, %H:32:09 05[CFG] right=192.19.22.1
Tue, 2021-03-09, %H:32:09 05[CFG] rightauth=psk
Tue, 2021-03-09, %H:32:09 05[CFG] ike=aes256-sha1-modp2048 !
Tue, 2021-03-09, %H:32:09 05[CFG] esp=aes128-sha1-modp2048 !
Tue, 2021-03-09, %H:32:09 05[CFG] dpddelay=30
Tue, 2021-03-09, %H:32:09 05[CFG] dpdtimeout=150
Tue, 2021-03-09, %H:32:09 05[CFG] sha256_96=no
Tue, 2021-03-09, %H:32:09 05[CFG] mediation=no
Tue, 2021-03-09, %H:32:09 05[CFG] keyexchange=ikev1
Tue, 2021-03-09, %H:32:09 05[KNL] 192.19.22.1 is not a local address or the
interface is down
Tue, 2021-03-09, %H:32:09 05[CFG] added configuration 'VPNPeer'
Tue, 2021-03-09, %H:32:17 07[NET] <1> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (244 bytes)
Tue, 2021-03-09, %H:32:17 07[ENC] <1> parsed ID_PROT request 0 [ SA V V V V
]
Tue, 2021-03-09, %H:32:17 07[CFG] <1> looking for an IKEv1 config for
192.19.22.10...192.19.22.1
Tue, 2021-03-09, %H:32:17 07[CFG] <1> candidate:
192.19.22.10...192.19.22.1, prio 3100
Tue, 2021-03-09, %H:32:17 07[CFG] <1> found matching ike config:
192.19.22.10...192.19.22.1 with prio 3100
Tue, 2021-03-09, %H:32:17 07[IKE] <1> received NAT-T (RFC 3947) vendor ID
Tue, 2021-03-09, %H:32:17 07[IKE] <1> received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Tue, 2021-03-09, %H:32:17 07[IKE] <1> received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Tue, 2021-03-09, %H:32:17 07[IKE] <1> received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Tue, 2021-03-09, %H:32:17 07[IKE] <1> 192.19.22.1 is initiating a Main Mode
IKE_SA
Tue, 2021-03-09, %H:32:17 07[IKE] <1> IKE_SA (unnamed)[1] state change:
CREATED => CONNECTING
Tue, 2021-03-09, %H:32:17 07[CFG] <1> selecting proposal:
Tue, 2021-03-09, %H:32:17 07[CFG] <1> proposal matches
Tue, 2021-03-09, %H:32:17 07[CFG] <1> received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Tue, 2021-03-09, %H:32:17 07[CFG] <1> configured proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Tue, 2021-03-09, %H:32:17 07[CFG] <1> selected proposal:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Tue, 2021-03-09, %H:32:17 07[IKE] <1> sending XAuth vendor ID
Tue, 2021-03-09, %H:32:17 07[IKE] <1> sending DPD vendor ID
Tue, 2021-03-09, %H:32:17 07[IKE] <1> sending NAT-T (RFC 3947) vendor ID
Tue, 2021-03-09, %H:32:17 07[ENC] <1> generating ID_PROT response 0 [ SA V
V V ]
Tue, 2021-03-09, %H:32:17 07[NET] <1> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (136 bytes)
Tue, 2021-03-09, %H:32:17 08[NET] <1> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (412 bytes)
Tue, 2021-03-09, %H:32:17 08[ENC] <1> parsed ID_PROT request 0 [ KE No V V
V NAT-D NAT-D ]
Tue, 2021-03-09, %H:32:17 08[IKE] <1> received DPD vendor ID
Tue, 2021-03-09, %H:32:17 08[ENC] <1> received unknown vendor ID:
10:f9:6f:0a:50:a5:1b:9c:da:5b:9b:ec:f8:f8:1e:3e
Tue, 2021-03-09, %H:32:17 08[IKE] <1> received XAuth vendor ID
Tue, 2021-03-09, %H:32:17 08[LIB] <1> size of DH secret exponent: 2047 bits
Tue, 2021-03-09, %H:32:17 08[CFG] <1> candidate "VPNPeer", match:
1/1/3100 (me/other/ike)
Tue, 2021-03-09, %H:32:17 08[ENC] <1> generating ID_PROT response 0 [ KE No
NAT-D NAT-D ]
Tue, 2021-03-09, %H:32:17 08[NET] <1> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (372 bytes)
Tue, 2021-03-09, %H:32:17 09[NET] <1> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (108 bytes)
Tue, 2021-03-09, %H:32:17 09[ENC] <1> parsed ID_PROT request 0 [ ID HASH
N(INITIAL_CONTACT) ]
Tue, 2021-03-09, %H:32:17 09[CFG] <1> looking for pre-shared key peer
configs matching 192.19.22.10...192.19.22.1[192.19.22.1]
Tue, 2021-03-09, %H:32:17 09[CFG] <1> candidate "VPNPeer", match:
1/20/3100 (me/other/ike)
Tue, 2021-03-09, %H:32:17 09[CFG] <1> selected peer config "VPNPeer"
Tue, 2021-03-09, %H:32:17 09[IKE] <VPNPeer|1> IKE_SA VPNPeer[1] established
between 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]
Tue, 2021-03-09, %H:32:17 09[IKE] <VPNPeer|1> IKE_SA VPNPeer[1] state
change: CONNECTING => ESTABLISHED
Tue, 2021-03-09, %H:32:17 09[IKE] <VPNPeer|1> scheduling reauthentication
in 86400s
Tue, 2021-03-09, %H:32:17 09[IKE] <VPNPeer|1> maximum IKE_SA lifetime 86400s
Tue, 2021-03-09, %H:32:17 09[ENC] <VPNPeer|1> generating ID_PROT response 0
[ ID HASH ]
Tue, 2021-03-09, %H:32:17 09[NET] <VPNPeer|1> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (76 bytes)
Tue, 2021-03-09, %H:32:17 11[NET] <VPNPeer|1> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (444 bytes)
Tue, 2021-03-09, %H:32:17 11[ENC] <VPNPeer|1> parsed QUICK_MODE request
256501508 [ HASH SA No KE ID ID ]
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> looking for a child config
for 192.19.22.10/32 === 192.19.22.1/32
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> proposing traffic selectors
for us:
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> 192.19.22.10/32
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> proposing traffic selectors
for other:
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> 192.19.22.1/32
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> candidate "VPNPeer" with
prio 5+5
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> found matching child config
"VPNPeer" with prio 10
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> selecting traffic selectors
for other:
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> config: 192.19.22.1/32,
received: 192.19.22.1/32 => match: 192.19.22.1/32
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> selecting traffic selectors
for us:
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> config: 192.19.22.10/32,
received: 192.19.22.10/32 => match: 192.19.22.10/32
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> selecting proposal:
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> proposal matches
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> received proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
Tue, 2021-03-09, %H:32:17 11[CFG] <VPNPeer|1> selected proposal:
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
Tue, 2021-03-09, %H:32:17 11[IKE] <VPNPeer|1> received 1000000000
lifebytes, configured 0
Tue, 2021-03-09, %H:32:17 11[LIB] <VPNPeer|1> size of DH secret exponent:
2047 bits
Tue, 2021-03-09, %H:32:17 11[KNL] <VPNPeer|1> got SPI c8bf9eca
Tue, 2021-03-09, %H:32:17 11[ENC] <VPNPeer|1> generating QUICK_MODE
response 256501508 [ HASH SA No KE ID ID ]
Tue, 2021-03-09, %H:32:17 11[NET] <VPNPeer|1> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (444 bytes)
Tue, 2021-03-09, %H:32:17 12[NET] <VPNPeer|1> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (60 bytes)
Tue, 2021-03-09, %H:32:17 12[ENC] <VPNPeer|1> parsed QUICK_MODE request
256501508 [ HASH ]
Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1> CHILD_SA VPNPeer{1} state
change: CREATED => INSTALLING
Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1> using AES_CBC for encryption
Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1> using HMAC_SHA1_96 for
integrity
Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1> adding inbound ESP SA
Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1> SPI 0xc8bf9eca, src
192.19.22.1 dst 192.19.22.10
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> adding SAD entry with SPI
c8bf9eca and reqid {1}
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using encryption algorithm
AES_CBC with key size 128
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using integrity algorithm
HMAC_SHA1_96 with key size 160
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using replay window of 32
packets
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> HW offload: no
Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1> adding outbound ESP SA
Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1> SPI 0x2d5a8f29, src
192.19.22.10 dst 192.19.22.1
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> adding SAD entry with SPI
2d5a8f29 and reqid {1}
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using encryption algorithm
AES_CBC with key size 128
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using integrity algorithm
HMAC_SHA1_96 with key size 160
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using replay window of 0
packets
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> HW offload: no
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> adding policy 192.19.22.1/32
=== 192.19.22.10/32 in [priority 367231, refcount 1]
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> adding policy 192.19.22.1/32
=== 192.19.22.10/32 fwd [priority 367231, refcount 1]
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> adding policy 192.19.22.10/32
=== 192.19.22.1/32 out [priority 367231, refcount 1]
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> getting a local address in
traffic selector 192.19.22.10/32
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using host 192.19.22.10
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> getting iface name for index 3
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using 192.19.22.1 as nexthop
and eth1 as dev to reach 192.19.22.1/32
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> installing route:
192.19.22.1/32 via 192.19.22.1 src 192.19.22.10 dev eth1
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> getting iface index for eth1
Tue, 2021-03-09, %H:32:17 12[IKE] <VPNPeer|1> CHILD_SA VPNPeer{1}
established with SPIs c8bf9eca_i 2d5a8f29_o and TS 192.19.22.10/32 ===
192.19.22.1/32
Tue, 2021-03-09, %H:32:17 12[CHD] <VPNPeer|1> CHILD_SA VPNPeer{1} state
change: INSTALLING => INSTALLED
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> getting iface name for index 3
Tue, 2021-03-09, %H:32:17 12[KNL] <VPNPeer|1> using 192.19.22.1 as nexthop
and eth1 as dev to reach 192.19.22.1/32
Tue, 2021-03-09, %H:32:28 15[KNL] <VPNPeer|1> querying SAD entry with SPI
c8bf9eca
Tue, 2021-03-09, %H:32:28 15[KNL] <VPNPeer|1> querying policy 192.19.22.1/32
=== 192.19.22.10/32 in
Tue, 2021-03-09, %H:32:28 15[KNL] <VPNPeer|1> querying policy 192.19.22.1/32
=== 192.19.22.10/32 fwd
Tue, 2021-03-09, %H:32:28 15[KNL] <VPNPeer|1> querying SAD entry with SPI
2d5a8f29
Tue, 2021-03-09, %H:32:28 15[KNL] <VPNPeer|1> querying policy
192.19.22.10/32 === 192.19.22.1/32 out
Tue, 2021-03-09, %H:37:17 05[NET] <VPNPeer|1> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (92 bytes)
Tue, 2021-03-09, %H:37:17 05[ENC] <VPNPeer|1> parsed INFORMATIONAL_V1
request 3632002282 [ HASH N(DPD) ]
Tue, 2021-03-09, %H:37:17 05[IKE] <VPNPeer|1> queueing ISAKMP_DPD task
Tue, 2021-03-09, %H:37:17 05[IKE] <VPNPeer|1> activating new tasks
Tue, 2021-03-09, %H:37:17 05[IKE] <VPNPeer|1> activating ISAKMP_DPD task
Tue, 2021-03-09, %H:37:17 05[ENC] <VPNPeer|1> generating INFORMATIONAL_V1
request 840089277 [ HASH N(DPD_ACK) ]
Tue, 2021-03-09, %H:37:17 05[NET] <VPNPeer|1> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (92 bytes)
Tue, 2021-03-09, %H:37:17 05[IKE] <VPNPeer|1> activating new tasks
Tue, 2021-03-09, %H:37:17 05[IKE] <VPNPeer|1> nothing to initiate
Tue, 2021-03-09, %H:38:37 07[NET] <VPNPeer|1> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (92 bytes)
Tue, 2021-03-09, %H:38:37 07[ENC] <VPNPeer|1> parsed INFORMATIONAL_V1
request 2900110358 [ HASH D ]
Tue, 2021-03-09, %H:38:37 07[IKE] <VPNPeer|1> received DELETE for IKE_SA
VPNPeer[1]
Tue, 2021-03-09, %H:38:37 07[IKE] <VPNPeer|1> deleting IKE_SA VPNPeer[1]
between 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]
Tue, 2021-03-09, %H:38:37 07[IKE] <VPNPeer|1> IKE_SA VPNPeer[1] state
change: ESTABLISHED => DELETING
Tue, 2021-03-09, %H:38:37 07[IKE] <VPNPeer|1> IKE_SA VPNPeer[1] state
change: DELETING => DELETING
Tue, 2021-03-09, %H:38:37 08[NET] <2> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (244 bytes)
Tue, 2021-03-09, %H:38:37 07[IKE] <VPNPeer|1> IKE_SA VPNPeer[1] state
change: DELETING => DESTROYING
Tue, 2021-03-09, %H:38:37 07[CHD] <VPNPeer|1> CHILD_SA VPNPeer{1} state
change: INSTALLED => DESTROYING
Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleting policy
192.19.22.10/32 === 192.19.22.1/32 out
Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleting policy 192.19.22.1/32
=== 192.19.22.10/32 in
Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleting policy 192.19.22.1/32
=== 192.19.22.10/32 fwd
Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleting SAD entry with SPI
c8bf9eca
Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleted SAD entry with SPI
c8bf9eca
Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleting SAD entry with SPI
2d5a8f29
Tue, 2021-03-09, %H:38:37 07[KNL] <VPNPeer|1> deleted SAD entry with SPI
2d5a8f29
Tue, 2021-03-09, %H:38:37 08[ENC] <2> parsed ID_PROT request 0 [ SA V V V V
]
Tue, 2021-03-09, %H:38:37 08[CFG] <2> looking for an IKEv1 config for
192.19.22.10...192.19.22.1
Tue, 2021-03-09, %H:38:37 08[CFG] <2> candidate:
192.19.22.10...192.19.22.1, prio 3100
Tue, 2021-03-09, %H:38:37 08[CFG] <2> found matching ike config:
192.19.22.10...192.19.22.1 with prio 3100
Tue, 2021-03-09, %H:38:37 08[IKE] <2> received NAT-T (RFC 3947) vendor ID
Tue, 2021-03-09, %H:38:37 08[IKE] <2> received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Tue, 2021-03-09, %H:38:37 08[IKE] <2> received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Tue, 2021-03-09, %H:38:37 08[IKE] <2> received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Tue, 2021-03-09, %H:38:37 08[IKE] <2> 192.19.22.1 is initiating a Main Mode
IKE_SA
Tue, 2021-03-09, %H:38:37 08[IKE] <2> IKE_SA (unnamed)[2] state change:
CREATED => CONNECTING
Tue, 2021-03-09, %H:38:37 08[CFG] <2> selecting proposal:
Tue, 2021-03-09, %H:38:37 08[CFG] <2> proposal matches
Tue, 2021-03-09, %H:38:37 08[CFG] <2> received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Tue, 2021-03-09, %H:38:37 08[CFG] <2> configured proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Tue, 2021-03-09, %H:38:37 08[CFG] <2> selected proposal:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Tue, 2021-03-09, %H:38:37 08[IKE] <2> sending XAuth vendor ID
Tue, 2021-03-09, %H:38:37 08[IKE] <2> sending DPD vendor ID
Tue, 2021-03-09, %H:38:37 08[IKE] <2> sending NAT-T (RFC 3947) vendor ID
Tue, 2021-03-09, %H:38:37 08[ENC] <2> generating ID_PROT response 0 [ SA V
V V ]
Tue, 2021-03-09, %H:38:37 08[NET] <2> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (136 bytes)
Tue, 2021-03-09, %H:38:37 09[NET] <2> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (412 bytes)
Tue, 2021-03-09, %H:38:37 09[ENC] <2> parsed ID_PROT request 0 [ KE No V V
V NAT-D NAT-D ]
Tue, 2021-03-09, %H:38:37 09[IKE] <2> received DPD vendor ID
Tue, 2021-03-09, %H:38:37 09[ENC] <2> received unknown vendor ID:
10:f9:6f:0a:02:d3:cc:91:9c:61:7d:60:6f:41:1f:c8
Tue, 2021-03-09, %H:38:37 09[IKE] <2> received XAuth vendor ID
Tue, 2021-03-09, %H:38:37 09[LIB] <2> size of DH secret exponent: 2047 bits
Tue, 2021-03-09, %H:38:37 09[CFG] <2> candidate "VPNPeer", match:
1/1/3100 (me/other/ike)
Tue, 2021-03-09, %H:38:37 09[ENC] <2> generating ID_PROT response 0 [ KE No
NAT-D NAT-D ]
Tue, 2021-03-09, %H:38:37 09[NET] <2> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (372 bytes)
Tue, 2021-03-09, %H:38:37 11[NET] <2> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (76 bytes)
Tue, 2021-03-09, %H:38:37 11[ENC] <2> parsed ID_PROT request 0 [ ID HASH ]
Tue, 2021-03-09, %H:38:37 11[CFG] <2> looking for pre-shared key peer
configs matching 192.19.22.10...192.19.22.1[192.19.22.1]
Tue, 2021-03-09, %H:38:37 11[CFG] <2> candidate "VPNPeer", match:
1/20/3100 (me/other/ike)
Tue, 2021-03-09, %H:38:37 11[CFG] <2> selected peer config "VPNPeer"
Tue, 2021-03-09, %H:38:37 11[IKE] <VPNPeer|2> IKE_SA VPNPeer[2] established
between 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]
Tue, 2021-03-09, %H:38:37 11[IKE] <VPNPeer|2> IKE_SA VPNPeer[2] state
change: CONNECTING => ESTABLISHED
Tue, 2021-03-09, %H:38:37 11[IKE] <VPNPeer|2> scheduling reauthentication
in 86400s
Tue, 2021-03-09, %H:38:37 11[IKE] <VPNPeer|2> maximum IKE_SA lifetime 86400s
Tue, 2021-03-09, %H:38:37 11[ENC] <VPNPeer|2> generating ID_PROT response 0
[ ID HASH ]
Tue, 2021-03-09, %H:38:37 11[NET] <VPNPeer|2> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (76 bytes)
Tue, 2021-03-09, %H:39:15 15[CFG] received stroke: terminate 'VPNPeer'
Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2> queueing ISAKMP_DELETE task
Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2> activating new tasks
Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2> activating ISAKMP_DELETE
task
Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2> deleting IKE_SA VPNPeer[2]
between 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]
Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2> sending DELETE for IKE_SA
VPNPeer[2]
Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2> IKE_SA VPNPeer[2] state
change: ESTABLISHED => DELETING
Tue, 2021-03-09, %H:39:15 05[ENC] <VPNPeer|2> generating INFORMATIONAL_V1
request 1114736905 [ HASH D ]
Tue, 2021-03-09, %H:39:15 05[NET] <VPNPeer|2> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (92 bytes)
Tue, 2021-03-09, %H:39:15 05[IKE] <VPNPeer|2> IKE_SA VPNPeer[2] state
change: DELETING => DESTROYING
Tue, 2021-03-09, %H:39:15 07[NET] <3> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (244 bytes)
Tue, 2021-03-09, %H:39:15 07[ENC] <3> parsed ID_PROT request 0 [ SA V V V V
]
Tue, 2021-03-09, %H:39:15 07[CFG] <3> looking for an IKEv1 config for
192.19.22.10...192.19.22.1
Tue, 2021-03-09, %H:39:15 07[CFG] <3> candidate:
192.19.22.10...192.19.22.1, prio 3100
Tue, 2021-03-09, %H:39:15 07[CFG] <3> found matching ike config:
192.19.22.10...192.19.22.1 with prio 3100
Tue, 2021-03-09, %H:39:15 07[IKE] <3> received NAT-T (RFC 3947) vendor ID
Tue, 2021-03-09, %H:39:15 07[IKE] <3> received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Tue, 2021-03-09, %H:39:15 07[IKE] <3> received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Tue, 2021-03-09, %H:39:15 07[IKE] <3> received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Tue, 2021-03-09, %H:39:15 07[IKE] <3> 192.19.22.1 is initiating a Main Mode
IKE_SA
Tue, 2021-03-09, %H:39:15 07[IKE] <3> IKE_SA (unnamed)[3] state change:
CREATED => CONNECTING
Tue, 2021-03-09, %H:39:15 07[CFG] <3> selecting proposal:
Tue, 2021-03-09, %H:39:15 07[CFG] <3> proposal matches
Tue, 2021-03-09, %H:39:15 07[CFG] <3> received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Tue, 2021-03-09, %H:39:15 07[CFG] <3> configured proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Tue, 2021-03-09, %H:39:15 07[CFG] <3> selected proposal:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Tue, 2021-03-09, %H:39:15 07[IKE] <3> sending XAuth vendor ID
Tue, 2021-03-09, %H:39:15 07[IKE] <3> sending DPD vendor ID
Tue, 2021-03-09, %H:39:15 07[IKE] <3> sending NAT-T (RFC 3947) vendor ID
Tue, 2021-03-09, %H:39:15 07[ENC] <3> generating ID_PROT response 0 [ SA V
V V ]
Tue, 2021-03-09, %H:39:15 07[NET] <3> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (136 bytes)
Tue, 2021-03-09, %H:39:15 08[NET] <3> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (412 bytes)
Tue, 2021-03-09, %H:39:15 08[ENC] <3> parsed ID_PROT request 0 [ KE No V V
V NAT-D NAT-D ]
Tue, 2021-03-09, %H:39:15 08[IKE] <3> received DPD vendor ID
Tue, 2021-03-09, %H:39:15 08[ENC] <3> received unknown vendor ID:
10:f9:6f:0a:d5:5e:d6:1c:e6:59:75:2b:e7:46:d2:a4
Tue, 2021-03-09, %H:39:15 08[IKE] <3> received XAuth vendor ID
Tue, 2021-03-09, %H:39:15 08[LIB] <3> size of DH secret exponent: 2047 bits
Tue, 2021-03-09, %H:39:15 08[CFG] <3> candidate "VPNPeer", match:
1/1/3100 (me/other/ike)
Tue, 2021-03-09, %H:39:15 08[ENC] <3> generating ID_PROT response 0 [ KE No
NAT-D NAT-D ]
Tue, 2021-03-09, %H:39:15 08[NET] <3> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (372 bytes)
Tue, 2021-03-09, %H:39:15 09[NET] <3> received packet: from
192.19.22.1[500] to 192.19.22.10[500] (76 bytes)
Tue, 2021-03-09, %H:39:15 09[ENC] <3> parsed ID_PROT request 0 [ ID HASH ]
Tue, 2021-03-09, %H:39:15 09[CFG] <3> looking for pre-shared key peer
configs matching 192.19.22.10...192.19.22.1[192.19.22.1]
Tue, 2021-03-09, %H:39:15 09[CFG] <3> candidate "VPNPeer", match:
1/20/3100 (me/other/ike)
Tue, 2021-03-09, %H:39:15 09[CFG] <3> selected peer config "VPNPeer"
Tue, 2021-03-09, %H:39:15 09[IKE] <VPNPeer|3> IKE_SA VPNPeer[3] established
between 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]
Tue, 2021-03-09, %H:39:15 09[IKE] <VPNPeer|3> IKE_SA VPNPeer[3] state
change: CONNECTING => ESTABLISHED
Tue, 2021-03-09, %H:39:15 09[IKE] <VPNPeer|3> scheduling reauthentication
in 86400s
Tue, 2021-03-09, %H:39:15 09[IKE] <VPNPeer|3> maximum IKE_SA lifetime 86400s
Tue, 2021-03-09, %H:39:15 09[ENC] <VPNPeer|3> generating ID_PROT response 0
[ ID HASH ]
Tue, 2021-03-09, %H:39:15 09[NET] <VPNPeer|3> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (76 bytes)
Tue, 2021-03-09, %H:39:17 00[DMN] signal of type SIGINT received. Shutting
down
Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3> queueing ISAKMP_DELETE task
Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3> activating new tasks
Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3> activating ISAKMP_DELETE
task
Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3> deleting IKE_SA VPNPeer[3]
between 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]
Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3> sending DELETE for IKE_SA
VPNPeer[3]
Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3> IKE_SA VPNPeer[3] state
change: ESTABLISHED => DELETING
Tue, 2021-03-09, %H:39:17 00[ENC] <VPNPeer|3> generating INFORMATIONAL_V1
request 590983238 [ HASH D ]
Tue, 2021-03-09, %H:39:17 00[NET] <VPNPeer|3> sending packet: from
192.19.22.10[500] to 192.19.22.1[500] (92 bytes)
Tue, 2021-03-09, %H:39:17 00[IKE] <VPNPeer|3> IKE_SA VPNPeer[3] state
change: DELETING => DESTROYING
>
> Message: 1
> Date: Tue, 9 Mar 2021 11:50:44 -0500
> From: Sean B <sb3957312 at gmail.com>
> To: users at lists.strongswan.org
> Subject: [strongSwan] IKEv1 Phase 1 rekey deletes Phase 2 SAs
> Message-ID:
> <CA+c0=
> jf_1QpkV9HTx_QLNyDoHSsFq2eWkN7SDwMEfVSciTEVrg at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Strongswan-users,
>
> I have a set up that requires IKEv1 and I'm running into a problem when the
> IKEv1 Phase 1 (IKE SA) rekeys. Phase 1 appears to rekey correctly, but
> deletes the Phase 2 SAs.
> Based on the following website, IPsec SAs are supposed to be adopted by the
> new IKE SA and not recreated:
> https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
> *"IKEv1* SAs are also rekeyed/reauthenticated using a make-before-break
> scheme, however, only the IKE SA is affected. IPsec SAs are adopted by the
> new IKE SA and not recreated."
>
> In this setup the Strongswan (192.19.22.10) is configured as the Responder
> and a Cisco IOS (192.19.22.1) device as the Initiator.
> The initial connection is established, and the traffic is sent ESP
> encapsulated. The initiator attempts to rekey the IKE SA, and appears to
> succeed.
> Both the Initiator and the Responder are shown with the new IKE SA SPIs,
> but during the IKE SA rekey Strongswan deletes the SAD entries for the
> IPsec SAs.
>
> Can someone please assist with troubleshooting this issue?
> I am unable to determine if this is due to a configuration with the
> connections in ipsec.conf, a setting in charon.conf, or if this is an issue
> with how Cisco IOS attempts to rekey IKE SAs.
> Cisco appears to be sending a DELETE message as per
> https://tools.ietf.org/html/draft-jenkins-ipsec-rekeying-06#section-3.2.
>
> I've included the 'ipsec statusall' outputs, ipsec.conf, and
> charon_debug.log
> (I've added charon_debug.log as an attachment, would it have been better to
> copy and paste into the body of the email?)
> #####
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
> config setup
> # strictcrlpolicy=yes
> # uniqueids = no
>
> # Add connections here.
> conn VPNPeer
> leftfirewall=yes
> keyexchange=ikev1
>
> # Phase 1 settings
> ikelifetime=24h
> margintime=0
> rekeyfuzz=0%
> lifetime=8h
> ike=aes256-sha1-modp2048 !
>
> # Phase 2
> esp=aes128-sha1-modp2048 !
>
> left=192.19.22.10
> right=192.19.22.1
>
> authby=psk
>
> type=tunnel
>
> auto=add
>
> # Rekeying
> #rekey=no
>
> include /var/lib/strongswan/ipsec.conf.inc
>
>
> #####
> Here are the results from 'ipsec statusall':
> Initial connection:
> #ipsec statusall
>
> Status of IKE charon daemon (weakSwan 5.8.4, Linux 5.5.0-kali2-amd64,
> x86_64):
> uptime: 20 seconds, since Mar 09 13:32:08 2021
> malloc: sbrk 1622016, mmap 0, used 610688, free 1011328
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 3
> loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
> pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink
> resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
> counters
>
> Listening IP addresses:
> 192.19.22.10
> 172.19.22.10
> 172.17.0.1
> Connections:
> VPNPeer: 192.19.22.10...192.19.22.1 IKEv1
> VPNPeer: local: [192.19.22.10] uses pre-shared key authentication
> VPNPeer: remote: [192.19.22.1] uses pre-shared key authentication
> VPNPeer: child: dynamic === dynamic TUNNEL
>
> Security Associations (1 up, 0 connecting):
> VPNPeer[1]: ESTABLISHED 11 seconds ago,
> 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]
> VPNPeer[1]: IKEv1 SPIs: e53ec81750a41b9c_i 84f72669eb1b150b_r*,
> pre-shared key reauthentication in 23 hours
> VPNPeer[1]: IKE proposal:
> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> VPNPeer{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c8bf9eca_i
> 2d5a8f29_o
> VPNPeer{1}: AES_CBC_128/HMAC_SHA1_96/MODP_2048, 400 bytes_i (4 pkts,
> 9s ago), 400 bytes_o (4 pkts, 9s ago), rekeying in 7 hours
> VPNPeer{1}: 192.19.22.10/32 === 192.19.22.1/32
>
>
>
> After IKE Phase 1 rekey:
> #ipsec statusall
>
> Status of IKE charon daemon (weakSwan 5.8.4, Linux 5.5.0-kali2-amd64,
> x86_64):
> uptime: 6 minutes, since Mar 09 13:32:08 2021
> malloc: sbrk 1622016, mmap 0, used 640656, free 981360
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 5
> loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
> pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink
> resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
> counters
>
> Listening IP addresses:
> 192.19.22.10
> 172.19.22.10
> 172.17.0.1
> Connections:
> VPNPeer: 192.19.22.10...192.19.22.1 IKEv1
> VPNPeer: local: [192.19.22.10] uses pre-shared key authentication
> VPNPeer: remote: [192.19.22.1] uses pre-shared key authentication
> VPNPeer: child: dynamic === dynamic TUNNEL
>
> Security Associations (1 up, 0 connecting):
> VPNPeer[2]: ESTABLISHED 9 seconds ago,
> 192.19.22.10[192.19.22.10]...192.19.22.1[192.19.22.1]
> VPNPeer[2]: IKEv1 SPIs: e53ec81702d2cc91_i 47da289647a60462_r*,
> pre-shared key reauthentication in 23 hours
> VPNPeer[2]: IKE proposal:
> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>
> #####
> # charon_debug.log - attached.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.strongswan.org/pipermail/users/attachments/20210309/4c35ad50/attachment.html
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: charon_debug.log
> Type: application/octet-stream
> Size: 28985 bytes
> Desc: not available
> URL: <
> http://lists.strongswan.org/pipermail/users/attachments/20210309/4c35ad50/attachment.obj
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210309/0ace289c/attachment.html>
End of Users Digest, Vol 134, Issue 7
*************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210330/1363242d/attachment-0001.html>
More information about the Users
mailing list