Hi!
When i configure multiple subnet (traffic selector) between iked an
strongswan, and iked act as initiator (active) iked create only the first
CHILD_SA.
strongswan config:
conn openbsd
keyexchange=ikev2
auto=add
left=10.2.50.130
right=10.2.50.24
authby=secret
type=tunnel
dpdaction=hold
conn openbsd-subnet-1
also=openbsd
leftsubnet=192.0.3.0/24
rightsubnet=192.0.2.0/24
conn openbsd-subnet-2
also=openbsd
leftsubnet=192.0.5.0/24
rightsubnet=192.0.4.0/24
iked config:
ikev2 strongswan active esp \
from 192.0.2.0/24 to 192.0.3.0/24 \
from 192.0.4.0/24 to 192.0.5.0/24 \
local 10.2.50.24 peer 10.2.50.130 \
srcid 10.2.50.24 dstid 10.2.50.130 \
psk "you-should-not-use-psk-authentication!"
After staring iked:
ikectl show sa
iked_sas: 0xf77bf267f0 rspi 0x2d3cf6edea006a61 ispi 0x8571a56c49fa05ff
10.2.50.24:500->10.2.50.130:500<IPV4/10.2.50.130>[] ESTABLISHED i nexti 0x0
pol 0xf7719fe000
sa_childsas: 0xf757c49e00 ESP 0xcd93a0cd out 10.2.50.24:500 ->
10.2.50.130:500 (L) B=0x0 P=0xf757c49000 @0xf77bf267f0
sa_childsas: 0xf757c49000 ESP 0xa48da310 in 10.2.50.130:500 ->
10.2.50.24:500 (LA) B=0x0 P=0xf757c49e00 @0xf77bf267f0
sa_flows: 0xf7998fcc00 ESP out 192.0.2.0/24 -> 192.0.3.0/24 [0]@-1 (L)
@0xf77bf267f0
sa_flows: 0xf721e58800 ESP in 192.0.3.0/24 -> 192.0.2.0/24 [0]@-1 (L)
@0xf77bf267f0
sa_flows: 0xf752c7ac00 ESP out 192.0.4.0/24 -> 192.0.5.0/24 [0]@-1 (L)
@0xf77bf267f0
sa_flows: 0xf721e58400 ESP in 192.0.5.0/24 -> 192.0.4.0/24 [0]@-1 (L)
@0xf77bf267f0
iked_activesas: 0xf757c49000 ESP 0xa48da310 in 10.2.50.130:500 ->
10.2.50.24:500 (LA) B=0x0 P=0xf757c49e00 @0xf77bf267f0
iked_activesas: 0xf757c49e00 ESP 0xcd93a0cd out 10.2.50.24:500 ->
10.2.50.130:500 (L) B=0x0 P=0xf757c49000 @0xf77bf267f0
iked_flows: 0xf721e58800 ESP in 192.0.3.0/24 -> 192.0.2.0/24 [0]@-1 (L)
@0xf77bf267f0
iked_flows: 0xf721e58400 ESP in 192.0.5.0/24 -> 192.0.4.0/24 [0]@-1 (L)
@0xf77bf267f0
iked_flows: 0xf7998fcc00 ESP out 192.0.2.0/24 -> 192.0.3.0/24 [0]@-1 (L)
@0xf77bf267f0
iked_flows: 0xf752c7ac00 ESP out 192.0.4.0/24 -> 192.0.5.0/24 [0]@-1 (L)
@0xf77bf267f0
ipsecctl -sa
FLOWS:
flow esp in from 192.0.3.0/24 to 192.0.2.0/24 peer 10.2.50.130 srcid IPV4/
10.2.50.24 dstid IPV4/10.2.50.130 type require
flow esp in from 192.0.5.0/24 to 192.0.4.0/24 peer 10.2.50.130 srcid IPV4/
10.2.50.24 dstid IPV4/10.2.50.130 type require
flow esp out from 192.0.2.0/24 to 192.0.3.0/24 peer 10.2.50.130 srcid IPV4/
10.2.50.24 dstid IPV4/10.2.50.130 type require
flow esp out from 192.0.4.0/24 to 192.0.5.0/24 peer 10.2.50.130 srcid IPV4/
10.2.50.24 dstid IPV4/10.2.50.130 type require
SAD:
esp tunnel from 10.2.50.130 to 10.2.50.24 spi 0xa48da310 auth hmac-sha2-256
enc aes
esp tunnel from 10.2.50.24 to 10.2.50.130 spi 0xcd93a0cd auth hmac-sha2-256
enc aes
Connections:
openbsd: 10.2.50.130...10.2.50.24 IKEv2, dpddelay=30s
openbsd: local: [10.2.50.130] uses pre-shared key authentication
openbsd: remote: [10.2.50.24] uses pre-shared key authentication
openbsd: child: dynamic === dynamic TUNNEL, dpdaction=hold
openbsd-subnet-1: child: 192.0.3.0/24 === 192.0.2.0/24 TUNNEL,
dpdaction=hold
openbsd-subnet-2: child: 192.0.5.0/24 === 192.0.4.0/24 TUNNEL,
dpdaction=hold
Security Associations (1 up, 0 connecting):
openbsd[2]: ESTABLISHED 42 seconds ago,
10.2.50.130[10.2.50.130]...10.2.50.24[10.2.50.24]
openbsd[2]: IKEv2 SPIs: 8571a56c49fa05ff_i 2d3cf6edea006a61_r*,
pre-shared key reauthentication in 2 hours
openbsd[2]: IKE proposal:
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
openbsd-subnet-1{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd93a0cd_i
a48da310_o
openbsd-subnet-1{1}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o,
rekeying in 44 minutes
openbsd-subnet-1{1}: 192.0.3.0/24 === 192.0.2.0/24
Log:
iked -dvv
create_ike: using unknown for peer 10.2.50.130
ikev2 "strongswan" active tunnel esp inet from 192.0.2.0/24 to 192.0.3.0/24
from 192.0.4.0/24 to 192.0.5.0/24 local 10.2.50.24 peer 10.2.50.130 ikesa
enc aes-128-gcm,aes-256-gcm prf
hmac-sha2-512,hmac-sha2-384,hmac-sha2-256,hmac-sha1 group
curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024
ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth
hmac-sha2-256,hmac-sha1 group
curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024
childsa enc aes-128-gcm,aes-256-gcm esn,noesn childsa enc
aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 esn,noesn srcid
10.2.50.24 dstid 10.2.50.130 lifetime 10800 bytes 536870912 psk
0x796f752d73686f756c642d6e6f742d7573652d70736b2d61757468656e7469636174696f6e21
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1191
ca_pubkey_serialize: type RSA_KEY length 270
config_getpolicy: received policy
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1191
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getmobike: mobike
config_getfragmentation: no fragmentation
config_getnattport: nattport 4500
ca_reload: local cert type RSA_KEY
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
ikev2_init_ike_sa: initiating "strongswan"
ikev2_policy2id: srcid IPV4/10.2.50.24 length 8
ikev2_add_proposals: length 292
ikev2_next_payload: length 296 nextpayload KE
ikev2_next_payload: length 40 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0xe50ba39bb72a1b5b 0x0000000000000000
10.2.50.24:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0xe50ba39bb72a1b5b
0x0000000000000000 10.2.50.130:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0xe50ba39bb72a1b5b rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
470 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 296
ikev2_pld_sa: more 2 reserved 0 length 136 proposal #1 protoid IKE spisize
0 xforms 15 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 0 reserved 0 length 156 proposal #2 protoid IKE spisize
0 xforms 17 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 40
ikev2_pld_ke: dh group CURVE25519 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
spi=0xe50ba39bb72a1b5b: send IKE_SA_INIT req 0 peer 10.2.50.130:500 local
10.2.50.24:500, 470 bytes
spi=0xe50ba39bb72a1b5b: sa_state: INIT -> SA_INIT
spi=0xe50ba39bb72a1b5b: recv IKE_SA_INIT res 0 peer 10.2.50.130:500 local
10.2.50.24:500, 38 bytes, policy 'strongswan'
ikev2_recv: ispi 0xe50ba39bb72a1b5b rspi 0x0000000000000000
ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
ikev2_policy2id: srcid IPV4/10.2.50.24 length 8
ikev2_pld_parse: header ispi 0xe50ba39bb72a1b5b rspi 0x0000000000000000
nextpayload NOTIFY version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0
length 38 response 1
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 10
ikev2_pld_notify: protoid NONE spisize 0 type INVALID_KE_PAYLOAD
ikev2_handle_notifies: responder selected DH group 19
spi=0xe50ba39bb72a1b5b: sa_state: SA_INIT -> CLOSED from 10.2.50.130:500 to
10.2.50.24:500 policy 'strongswan'
ikev2_recv: closing SA
spi=0xe50ba39bb72a1b5b: sa_free: reinitiating with new DH group
ikev2_init_ike_sa: initiating "strongswan"
ikev2_policy2id: srcid IPV4/10.2.50.24 length 8
ikev2_add_proposals: length 292
ikev2_next_payload: length 296 nextpayload KE
ikev2_next_payload: length 72 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x8571a56c49fa05ff 0x0000000000000000
10.2.50.24:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x8571a56c49fa05ff
0x0000000000000000 10.2.50.130:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
502 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 296
ikev2_pld_sa: more 2 reserved 0 length 136 proposal #1 protoid IKE spisize
0 xforms 15 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 0 reserved 0 length 156 proposal #2 protoid IKE spisize
0 xforms 17 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 72
ikev2_pld_ke: dh group ECP_256 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
spi=0x8571a56c49fa05ff: send IKE_SA_INIT req 0 peer 10.2.50.130:500 local
10.2.50.24:500, 502 bytes
spi=0x8571a56c49fa05ff: sa_state: INIT -> SA_INIT
spi=0x8571a56c49fa05ff: recv IKE_SA_INIT res 0 peer 10.2.50.130:500 local
10.2.50.24:500, 262 bytes, policy 'strongswan'
ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
ikev2_policy2id: srcid IPV4/10.2.50.24 length 8
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length
262 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #2 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_256
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 72
ikev2_pld_ke: dh group ECP_256 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x8571a56c49fa05ff 0x2d3cf6edea006a61
10.2.50.130:500
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x8571a56c49fa05ff 0x2d3cf6edea006a61
10.2.50.24:500
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_pld_notify: signature hash SHA2_256 (2)
ikev2_pld_notify: signature hash SHA2_384 (3)
ikev2_pld_notify: signature hash SHA2_512 (4)
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type MULTIPLE_AUTH_SUPPORTED
proposals_negotiate: score 0
proposals_negotiate: score 16
sa_stateok: SA_INIT flags 0x0000, require 0x0008 auth
spi=0x8571a56c49fa05ff: ikev2_sa_keys: DHSECRET with 32 bytes
ikev2_sa_keys: SKEYSEED with 32 bytes
spi=0x8571a56c49fa05ff: ikev2_sa_keys: S with 80 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: Tn with 192 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 16 bytes
ikev2_sa_keys: SK_er with 16 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_msg_auth: initiator auth data length 566
sa_stateok: SA_INIT flags 0x0008, require 0x0008 auth
ikev2_next_payload: length 12 nextpayload AUTH
ikev2_next_payload: length 40 nextpayload SA
pfkey_sa_getspi: spi 0xa48da310
pfkey_sa_init: new spi 0xa48da310
ikev2_add_proposals: length 132
ikev2_next_payload: length 136 nextpayload TSi
ikev2_next_payload: length 40 nextpayload TSr
ikev2_next_payload: length 40 nextpayload NONE
ikev2_next_payload: length 308 nextpayload IDi
ikev2_msg_encrypt: decrypted length 268
ikev2_msg_encrypt: padded length 272
ikev2_msg_encrypt: length 269, padding 3, output length 304
ikev2_msg_integr: message length 336
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 336
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 308
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 272
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 272/272 padding 3
ikev2_pld_payloads: decrypted payload IDi nextpayload AUTH critical 0x00
length 12
ikev2_pld_id: id IPV4/10.2.50.24 length 8
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00
length 40
ikev2_pld_auth: method SHARED_KEY_MIC length 32
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 136
ikev2_pld_sa: more 2 reserved 0 length 52 proposal #1 protoid ESP spisize 4
xforms 4 spi 0xa48da310
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_sa: more 0 reserved 0 length 80 proposal #2 protoid ESP spisize 4
xforms 7 spi 0xa48da310
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 40
ikev2_pld_ts: count 2 length 32
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.2.0 end 192.0.2.255
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.4.0 end 192.0.4.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 40
ikev2_pld_ts: count 2 length 32
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.3.0 end 192.0.3.255
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.5.0 end 192.0.5.255
spi=0x8571a56c49fa05ff: send IKE_AUTH req 1 peer 10.2.50.130:500 local
10.2.50.24:500, 336 bytes
config_free_proposals: free 0xf757c4a200
spi=0x8571a56c49fa05ff: recv IKE_AUTH res 1 peer 10.2.50.130:500 local
10.2.50.24:500, 224 bytes, policy 'strongswan'
ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 224
response 1
ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 196
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 160
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 160/160 padding 3
ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00
length 12
ikev2_pld_id: id IPV4/10.2.50.130 length 8
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00
length 40
ikev2_pld_auth: method SHARED_KEY_MIC length 32
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #2 protoid ESP spisize 4
xforms 3 spi 0xcd93a0cd
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.2.0 end 192.0.2.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.3.0 end 192.0.3.255
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00
length 12
ikev2_pld_notify: protoid NONE spisize 0 type AUTH_LIFETIME
spi=0x8571a56c49fa05ff: sa_state: SA_INIT -> AUTH_REQUEST
proposals_negotiate: score 0
proposals_negotiate: score 10
sa_stateflags: 0x0008 -> 0x0028 auth,sa (required 0x0030 authvalid,sa)
ikev2_msg_auth: responder auth data length 326
ikev2_msg_authverify: method SHARED_KEY_MIC keylen 32 type NONE
ikev2_msg_authverify: authentication successful
spi=0x8571a56c49fa05ff: sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x0028 -> 0x0038 auth,authvalid,sa (required 0x0030
authvalid,sa)
sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa
spi=0x8571a56c49fa05ff: sa_state: AUTH_SUCCESS -> VALID
sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa
sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa
ikev2_sa_tag: (0)
ikev2_childsa_negotiate: proposal 2
ikev2_childsa_negotiate: key material length 96
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: Tn with 96 bytes
pfkey_sa_add: add spi 0xcd93a0cd
ikev2_childsa_enable: loaded CHILD SA spi 0xcd93a0cd
pfkey_sa_add: update spi 0xa48da310
ikev2_childsa_enable: loaded CHILD SA spi 0xa48da310
ikev2_childsa_enable: loaded flow 0xf7998fcc00
ikev2_childsa_enable: loaded flow 0xf721e58800
ikev2_childsa_enable: loaded flow 0xf752c7ac00
ikev2_childsa_enable: loaded flow 0xf721e58400
ikev2_childsa_enable: remember SA peer 10.2.50.130:500
spi=0x8571a56c49fa05ff: ikev2_childsa_enable: loaded SPIs: 0xcd93a0cd,
0xa48da310
spi=0x8571a56c49fa05ff: ikev2_childsa_enable: loaded flows:
ESP-192.0.2.0/24=192.0.3.0/24(0), ESP-192.0.4.0/24=192.0.5.0/24(0)
spi=0x8571a56c49fa05ff: sa_state: VALID -> ESTABLISHED from 10.2.50.130:500
to 10.2.50.24:500 policy 'strongswan'
spi=0x8571a56c49fa05ff: established peer 10.2.50.130:500[IPV4/10.2.50.130]
local 10.2.50.24:500[IPV4/10.2.50.24] policy 'strongswan' as initiator
config_free_proposals: free 0xf757c4ab00
2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[NET] received packet: from
10.2.50.24[500] to 10.2.50.130[500] (470 bytes)
2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[IKE] 10.2.50.24 is initiating
an IKE_SA
2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[IKE] 10.2.50.24 is initiating
an IKE_SA
2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[IKE] DH group CURVE_25519
unacceptable, requesting ECP_256
2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[ENC] generating IKE_SA_INIT
response 0 [ N(INVAL_KE) ]
2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[NET] sending packet: from
10.2.50.130[500] to 10.2.50.24[500] (38 bytes)
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[NET] received packet: from
10.2.50.24[500] to 10.2.50.130[500] (502 bytes)
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[IKE] 10.2.50.24 is initiating
an IKE_SA
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[IKE] 10.2.50.24 is initiating
an IKE_SA
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[NET] sending packet: from
10.2.50.130[500] to 10.2.50.24[500] (262 bytes)
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[NET] received packet: from
10.2.50.24[500] to 10.2.50.130[500] (336 bytes)
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[ENC] parsed IKE_AUTH request
1 [ IDi AUTH SA TSi TSr ]
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[CFG] looking for peer configs
matching 10.2.50.130[%any]...10.2.50.24[10.2.50.24]
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[CFG] selected peer config
'openbsd'
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] authentication of
'10.2.50.24' with pre-shared key successful
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] authentication of
'10.2.50.130' (myself) with pre-shared key
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] IKE_SA openbsd[2]
established between 10.2.50.130[10.2.50.130]...10.2.50.24[10.2.50.24]
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] IKE_SA openbsd[2]
established between 10.2.50.130[10.2.50.130]...10.2.50.24[10.2.50.24]
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] scheduling
reauthentication in 10045s
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] maximum IKE_SA lifetime
10585s
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[CFG] selected proposal:
ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] CHILD_SA
openbsd-subnet-1{1} established with SPIs cd93a0cd_i a48da310_o and TS
192.0.3.0/24 === 192.0.2.0/24
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] CHILD_SA
openbsd-subnet-1{1} established with SPIs cd93a0cd_i a48da310_o and TS
192.0.3.0/24 === 192.0.2.0/24
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[ENC] generating IKE_AUTH
response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
If i initiate by hand the second CHILD_SA from strongswan, it works:
ipsec up openbsd-subnet-2
establishing CHILD_SA openbsd-subnet-2{2}
generating CREATE_CHILD_SA request 16 [ SA No TSi TSr ]
sending packet: from 10.2.50.130[500] to 10.2.50.24[500] (256 bytes)
received packet: from 10.2.50.24[500] to 10.2.50.130[500] (240 bytes)
parsed CREATE_CHILD_SA response 16 [ SA No TSi TSr ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
CHILD_SA openbsd-subnet-2{2} established with SPIs c9be082b_i efe9920e_o
and TS 192.0.5.0/24 === 192.0.4.0/24
connection 'openbsd-subnet-2' established successfully
ikectl show sa
iked_sas: 0xf77bf267f0 rspi 0x2d3cf6edea006a61 ispi 0x8571a56c49fa05ff
10.2.50.24:500->10.2.50.130:500<IPV4/10.2.50.130>[] ESTABLISHED i nexti 0x0
pol 0xf7719fe000
sa_childsas: 0xf757c49e00 ESP 0xcd93a0cd out 10.2.50.24:500 ->
10.2.50.130:500 (L) B=0x0 P=0xf757c49000 @0xf77bf267f0
sa_childsas: 0xf757c49000 ESP 0xa48da310 in 10.2.50.130:500 ->
10.2.50.24:500 (LA) B=0x0 P=0xf757c49e00 @0xf77bf267f0
sa_childsas: 0xf7a68f2000 ESP 0xefe9920e in 10.2.50.130:500 ->
10.2.50.24:500 (LA) B=0x0 P=0xf757c49800 @0xf77bf267f0
sa_childsas: 0xf757c49800 ESP 0xc9be082b out 10.2.50.24:500 ->
10.2.50.130:500 (L) B=0x0 P=0xf7a68f2000 @0xf77bf267f0
sa_flows: 0xf7998fcc00 ESP out 192.0.2.0/24 -> 192.0.3.0/24 [0]@-1 (L)
@0xf77bf267f0
sa_flows: 0xf721e58800 ESP in 192.0.3.0/24 -> 192.0.2.0/24 [0]@-1 (L)
@0xf77bf267f0
sa_flows: 0xf752c7ac00 ESP out 192.0.4.0/24 -> 192.0.5.0/24 [0]@-1 (L)
@0xf77bf267f0
sa_flows: 0xf721e58400 ESP in 192.0.5.0/24 -> 192.0.4.0/24 [0]@-1 (L)
@0xf77bf267f0
iked_activesas: 0xf757c49000 ESP 0xa48da310 in 10.2.50.130:500 ->
10.2.50.24:500 (LA) B=0x0 P=0xf757c49e00 @0xf77bf267f0
iked_activesas: 0xf757c49800 ESP 0xc9be082b out 10.2.50.24:500 ->
10.2.50.130:500 (L) B=0x0 P=0xf7a68f2000 @0xf77bf267f0
iked_activesas: 0xf757c49e00 ESP 0xcd93a0cd out 10.2.50.24:500 ->
10.2.50.130:500 (L) B=0x0 P=0xf757c49000 @0xf77bf267f0
iked_activesas: 0xf7a68f2000 ESP 0xefe9920e in 10.2.50.130:500 ->
10.2.50.24:500 (LA) B=0x0 P=0xf757c49800 @0xf77bf267f0
iked_flows: 0xf721e58800 ESP in 192.0.3.0/24 -> 192.0.2.0/24 [0]@-1 (L)
@0xf77bf267f0
iked_flows: 0xf721e58400 ESP in 192.0.5.0/24 -> 192.0.4.0/24 [0]@-1 (L)
@0xf77bf267f0
iked_flows: 0xf7998fcc00 ESP out 192.0.2.0/24 -> 192.0.3.0/24 [0]@-1 (L)
@0xf77bf267f0
iked_flows: 0xf752c7ac00 ESP out 192.0.4.0/24 -> 192.0.5.0/24 [0]@-1 (L)
@0xf77bf267f0
ipsecctl -sa
FLOWS:
flow esp in from 192.0.3.0/24 to 192.0.2.0/24 peer 10.2.50.130 srcid IPV4/
10.2.50.24 dstid IPV4/10.2.50.130 type require
flow esp in from 192.0.5.0/24 to 192.0.4.0/24 peer 10.2.50.130 srcid IPV4/
10.2.50.24 dstid IPV4/10.2.50.130 type require
flow esp out from 192.0.2.0/24 to 192.0.3.0/24 peer 10.2.50.130 srcid IPV4/
10.2.50.24 dstid IPV4/10.2.50.130 type require
flow esp out from 192.0.4.0/24 to 192.0.5.0/24 peer 10.2.50.130 srcid IPV4/
10.2.50.24 dstid IPV4/10.2.50.130 type require
SAD:
esp tunnel from 10.2.50.130 to 10.2.50.24 spi 0xa48da310 auth hmac-sha2-256
enc aes
esp tunnel from 10.2.50.24 to 10.2.50.130 spi 0xc9be082b auth hmac-sha2-256
enc aes-256
esp tunnel from 10.2.50.24 to 10.2.50.130 spi 0xcd93a0cd auth hmac-sha2-256
enc aes
esp tunnel from 10.2.50.130 to 10.2.50.24 spi 0xefe9920e auth hmac-sha2-256
enc aes-256
log:
spi=0x8571a56c49fa05ff: recv CREATE_CHILD_SA req 16 peer 10.2.50.130:500
local 10.2.50.24:500, 256 bytes, policy 'strongswan'
ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange CREATE_CHILD_SA flags 0x00 msgid 16
length 256 response 0
ikev2_pld_payloads: payload SK nextpayload SA critical 0x00 length 228
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 192
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 192/192 padding 7
ikev2_pld_payloads: decrypted payload SA nextpayload NONCE critical 0x00
length 100
ikev2_pld_sa: more 0 reserved 0 length 96 proposal #1 protoid ESP spisize 4
xforms 9 spi 0xc9be082b
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id AES_XCBC_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload NONCE nextpayload TSi critical 0x00
length 36
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.5.0 end 192.0.5.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.4.0 end 192.0.4.255
ikev2_resp_create_child_sa: creating new ESP SA
proposals_negotiate: score 0
proposals_negotiate: score 4
sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa
ikev2_sa_tag: (0)
ikev2_childsa_negotiate: proposal 1
ikev2_childsa_negotiate: key material length 128
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: Tn with 128 bytes
pfkey_sa_getspi: spi 0xefe9920e
pfkey_sa_init: new spi 0xefe9920e
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload TSi
ikev2_next_payload: length 40 nextpayload TSr
ikev2_next_payload: length 40 nextpayload NONE
ikev2_next_payload: length 212 nextpayload SA
ikev2_msg_encrypt: decrypted length 160
ikev2_msg_encrypt: padded length 176
ikev2_msg_encrypt: length 161, padding 15, output length 208
ikev2_msg_integr: message length 240
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange CREATE_CHILD_SA flags 0x28 msgid 16
length 240 response 1
ikev2_pld_payloads: payload SK nextpayload SA critical 0x00 length 212
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 176
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 176/176 padding 15
ikev2_pld_payloads: decrypted payload SA nextpayload NONCE critical 0x00
length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4
xforms 3 spi 0xefe9920e
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload NONCE nextpayload TSi critical 0x00
length 36
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 40
ikev2_pld_ts: count 2 length 32
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.3.0 end 192.0.3.255
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.5.0 end 192.0.5.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 40
ikev2_pld_ts: count 2 length 32
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.2.0 end 192.0.2.255
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.4.0 end 192.0.4.255
spi=0x8571a56c49fa05ff: send CREATE_CHILD_SA res 16 peer 10.2.50.130:500
local 10.2.50.24:500, 240 bytes
pfkey_sa_add: update spi 0xefe9920e
ikev2_childsa_enable: loaded CHILD SA spi 0xefe9920e
pfkey_sa_add: add spi 0xc9be082b
ikev2_childsa_enable: loaded CHILD SA spi 0xc9be082b
ikev2_childsa_enable: flow already loaded 0xf7998fcc00
ikev2_childsa_enable: flow already loaded 0xf721e58800
ikev2_childsa_enable: flow already loaded 0xf752c7ac00
ikev2_childsa_enable: flow already loaded 0xf721e58400
spi=0x8571a56c49fa05ff: ikev2_childsa_enable: loaded SPIs: 0xefe9920e,
0xc9be082b
config_free_proposals: free 0xf72ed4f000
config_free_proposals: free 0xf72ed4fa00
spi=0x8571a56c49fa05ff: recv INFORMATIONAL req 17 peer 10.2.50.130:500
local 10.2.50.24:500, 80 bytes, policy 'strongswan'
ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 17
length 80 response 0
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
ikev2_next_payload: length 52 nextpayload NONE
ikev2_msg_encrypt: decrypted length 0
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 1, padding 15, output length 48
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 17
length 80 response 1
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
spi=0x8571a56c49fa05ff: send INFORMATIONAL res 17 peer 10.2.50.130:500
local 10.2.50.24:500, 80 bytes
ikev2_init_ike_sa: "strongswan" is already active
spi=0x8571a56c49fa05ff: recv INFORMATIONAL req 18 peer 10.2.50.130:500
local 10.2.50.24:500, 80 bytes, policy 'strongswan'
ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 18
length 80 response 0
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
ikev2_next_payload: length 52 nextpayload NONE
ikev2_msg_encrypt: decrypted length 0
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 1, padding 15, output length 48
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 18
length 80 response 1
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
spi=0x8571a56c49fa05ff: send INFORMATIONAL res 18 peer 10.2.50.130:500
local 10.2.50.24:500, 80 bytes
spi=0x8571a56c49fa05ff: recv INFORMATIONAL req 19 peer 10.2.50.130:500
local 10.2.50.24:500, 80 bytes, policy 'strongswan'
ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 19
length 80 response 0
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
ikev2_next_payload: length 52 nextpayload NONE
ikev2_msg_encrypt: decrypted length 0
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 1, padding 15, output length 48
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 19
length 80 response 1
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
spi=0x8571a56c49fa05ff: send INFORMATIONAL res 19 peer 10.2.50.130:500
local 10.2.50.24:500, 80 bytes
ikev2_init_ike_sa: "strongswan" is already active
spi=0x8571a56c49fa05ff: recv INFORMATIONAL req 20 peer 10.2.50.130:500
local 10.2.50.24:500, 80 bytes, policy 'strongswan'
ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 20
length 80 response 0
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
ikev2_next_payload: length 52 nextpayload NONE
ikev2_msg_encrypt: decrypted length 0
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 1, padding 15, output length 48
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 20
length 80 response 1
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
spi=0x8571a56c49fa05ff: send INFORMATIONAL res 20 peer 10.2.50.130:500
local 10.2.50.24:500, 80 bytes
