Hi strongswan dev,
We have observed one issue in strong swan that two different SA have been
assigned with same reqid.
2013-04-23T07:30:26.219374+00:00 10 [info] charon: 10[IKE] CHILD_SA
conn11{9} established with SPIs cedee951_i c2612a16_o and TS 14.1.2.0/24 ===
40.0.10.0/24
2013-04-23T07:30:26.219394+00:00 10 [info] charon: 10[IKE] CHILD_SA
conn11{9} established with SPIs cedee951_i c2612a16_o and TS 14.1.2.0/24 ===
40.0.10.0/24
2013-04-23T07:30:26.220499+00:00 10 [info] charon: 07[IKE] CHILD_SA
conn12{9} established with SPIs c91b6c9b_i cc3d4154_o and TS 172.1.17.131/32
=== 172.1.17.171/32
2013-04-23T07:30:26.220537+00:00 10 [info] charon: 07[IKE] CHILD_SA
conn12{9} established with SPIs c91b6c9b_i cc3d4154_o and TS 172.1.17.131/32
=== 172.1.17.171/32
Can you kindly provide your input what could be the reason for this issue?
Ipsec logs are attached with this mail.
Best Regards,
Amit Kumar
===============================================================================
Please refer to http://www.aricent.com/legal/email_disclaimer.html
for important disclosures regarding this electronic communication.
===============================================================================
**********************************************
* *
* ipsec status *
* *
**********************************************
000 "conn1":
192.168.202.0/24===192.168.202.102[192.168.255.129]...50.0.0.1[50.0.0.1]===40.0.0.0/24;
erouted; eroute owner: #11
000 "conn1": newest ISAKMP SA: #1; newest IPsec SA: #11;
000 "conn2":
192.168.202.0/24===192.168.202.102[192.168.255.129]...50.0.0.1[50.0.0.1]===40.0.1.0/24;
erouted; eroute owner: #10
000 "conn2": newest ISAKMP SA: #0; newest IPsec SA: #10;
000
000 #11: "conn1" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 81s; newest IPSEC; eroute owner
000 #11: "conn1" [email protected] (0 bytes) [email protected]
(0 bytes); tunnel
000 #1: "conn1" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
82201s; newest ISAKMP
000 #10: "conn2" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 53s; newest IPSEC; eroute owner
000 #10: "conn2" [email protected] (0 bytes) [email protected]
(0 bytes); tunnel
000
Security Associations (3 up, 0 connecting):
conn3[1]: ESTABLISHED 20 minutes ago,
192.168.202.102[192.168.255.129]...50.0.1.1[C=DE, O=NokiaSiemensNetworks,
CN=FlexiTRSIntegration_IPSecGW]
conn3{1}: INSTALLED, TUNNEL, ESP SPIs: c415166a_i cc0bd209_o
conn3{1}: 192.168.202.0/24 === 40.0.2.0/24
conn12{9}: INSTALLED, TUNNEL, ESP SPIs: cdd1e3dd_i ca9f9b68_o
conn12{9}: 172.1.17.131/32 === 172.1.17.171/32
conn4{2}: INSTALLED, TUNNEL, ESP SPIs: cdaaea7d_i c0c4c3d9_o
conn4{2}: 192.168.202.0/24 === 40.0.3.0/24
conn5[2]: ESTABLISHED 19 minutes ago,
50.0.11.2[192.168.255.129]...50.0.11.1[C=DE, O=NokiaSiemensNetworks,
CN=FlexiTRSIntegration_IPSecGW]
conn5{3}: INSTALLED, TUNNEL, ESP SPIs: cad16a5b_i cce7f200_o
conn5{3}: 192.168.202.0/24 === 40.0.4.0/24
conn7{6}: INSTALLED, TUNNEL, ESP SPIs: cf1507bd_i caabf605_o
conn7{6}: 192.168.202.0/24 === 40.0.6.0/24
conn6{5}: INSTALLED, TUNNEL, ESP SPIs: c3430e59_i cee3c29a_o
conn6{5}: 192.168.202.0/24 === 40.0.5.0/24
conn8[3]: ESTABLISHED 19 minutes ago,
50.0.13.2[192.168.255.129]...50.0.13.1[C=DE, O=NokiaSiemensNetworks,
CN=FlexiTRSIntegration_IPSecGW]
conn11{9}: INSTALLED, TUNNEL, ESP SPIs: cedee951_i c2612a16_o
conn11{9}: 14.1.2.0/24 === 40.0.10.0/24
conn10{8}: INSTALLED, TUNNEL, ESP SPIs: c10d51cb_i cb1340e7_o
conn10{8}: 192.168.202.0/24 === 40.0.9.0/24
conn8{4}: INSTALLED, TUNNEL, ESP SPIs: cb170eab_i cfa973c2_o
conn8{4}: 192.168.202.0/24 === 40.0.7.0/24
conn9{7}: INSTALLED, TUNNEL, ESP SPIs: c335054c_i c5fb953a_o
conn9{7}: 192.168.202.0/24 === 40.0.8.0/24
**********************************************
* *
* ipsec statusall *
* *
**********************************************
000 Status of IKEv1 pluto daemon (strongSwan 4.5.3):
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface lo:1/lo:1 172.1.17.131:4500
000 interface lo:1/lo:1 172.1.17.131:500
000 interface eth1/eth1 10.29.8.40:4500
000 interface eth1/eth1 10.29.8.40:500
000 interface eth1:1/eth1:1 192.168.255.129:4500
000 interface eth1:1/eth1:1 192.168.255.129:500
000 interface rio0/rio0 192.168.253.16:4500
000 interface rio0/rio0 192.168.253.16:500
000 interface eth3/eth3 192.168.202.102:4500
000 interface eth3/eth3 192.168.202.102:500
000 interface eth5.48/eth5.48 192.168.255.54:4500
000 interface eth5.48/eth5.48 192.168.255.54:500
000 interface eth3.2007/eth3.2007 50.0.13.2:4500
000 interface eth3.2007/eth3.2007 50.0.13.2:500
000 interface eth3.2006/eth3.2006 50.0.11.2:4500
000 interface eth3.2006/eth3.2006 50.0.11.2:500
000 interface eth5.32:5/eth5.32:5 14.1.2.1:4500
000 interface eth5.32:5/eth5.32:5 14.1.2.1:500
000 %myid = '%any'
000 loaded plugins: curl aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem
openssl gmp hmac cra xauth attr kernel-netlink resolve
000 debug options: none
000
000 "conn1":
192.168.202.0/24===192.168.202.102[192.168.255.129]...50.0.0.1[50.0.0.1]===40.0.0.0/24;
erouted; eroute owner: #11
000 "conn1": CAs: "C=DE, O=NokiaSiemensNetworks,
CN=FlexiTRSIntegrationCA"...%any
000 "conn1": ike_life: 83668s; ipsec_life: 450s; rekey_margin: 180s;
rekey_fuzz: 50%; keyingtries: 0
000 "conn1": dpd_action: restart; dpd_delay: 10s; dpd_timeout: 120s;
000 "conn1": policy: PUBKEY+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: eth3;
000 "conn1": newest ISAKMP SA: #1; newest IPsec SA: #11;
000 "conn1": IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1024
000 "conn1": ESP proposal: AES_CBC_128/HMAC_SHA1/<N/A>
000 "conn2":
192.168.202.0/24===192.168.202.102[192.168.255.129]...50.0.0.1[50.0.0.1]===40.0.1.0/24;
erouted; eroute owner: #10
000 "conn2": CAs: "C=DE, O=NokiaSiemensNetworks,
CN=FlexiTRSIntegrationCA"...%any
000 "conn2": ike_life: 83668s; ipsec_life: 450s; rekey_margin: 180s;
rekey_fuzz: 50%; keyingtries: 0
000 "conn2": dpd_action: restart; dpd_delay: 10s; dpd_timeout: 120s;
000 "conn2": policy: PUBKEY+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: eth3;
000 "conn2": newest ISAKMP SA: #0; newest IPsec SA: #10;
000 "conn2": ESP proposal: AES_CBC_128/HMAC_SHA1/<N/A>
000
000 #11: "conn1" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 76s; newest IPSEC; eroute owner
000 #11: "conn1" [email protected] (0 bytes) [email protected]
(0 bytes); tunnel
000 #1: "conn1" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
82196s; newest ISAKMP; DPD active
000 #10: "conn2" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 48s; newest IPSEC; eroute owner
000 #10: "conn2" [email protected] (0 bytes) [email protected]
(0 bytes); tunnel
000
Status of IKEv2 charon daemon (strongSwan 4.5.3):
uptime: 20 minutes, since Apr 23 07:30:04 2013
malloc: sbrk 405504, mmap 0, used 311616, free 93888
worker threads: 9 of 16 idle, 6/1/0/0 working, job queue: 0/0/0/0, scheduled:
13
loaded plugins: curl aes des sha1 sha2 md5 random x509 revocation constraints
pubkey pkcs1 pgp pem openssl fips-prf gmp xcbc hmac cra attr kernel-netlink
resolve socket-raw stroke updown
Listening IP addresses:
10.29.8.40
192.168.255.129
192.168.253.16
192.168.202.102
192.168.255.54
50.0.13.2
50.0.11.2
14.1.2.1
192.168.255.129
Connections:
conn3: 192.168.202.102...50.0.1.1, dpddelay=10s
conn3: local: [192.168.255.129] uses public key authentication
conn3: cert: "C=DE, O=NokiaSiemensNetworks,
CN=FlexiTRSIntegration_FTM"
conn3: remote: [%any] uses any authentication
conn3: child: 192.168.202.0/24 === 40.0.2.0/24 TUNNEL,
dpdaction=restart
conn4: child: 192.168.202.0/24 === 40.0.3.0/24 TUNNEL,
dpdaction=restart
conn12: child: 172.1.17.0/24 === 172.1.17.0/24 TUNNEL,
dpdaction=restart
conn5: 50.0.11.2...50.0.11.1, dpddelay=10s
conn5: local: [192.168.255.129] uses public key authentication
conn5: cert: "C=DE, O=NokiaSiemensNetworks,
CN=FlexiTRSIntegration_FTM"
conn5: remote: [%any] uses any authentication
conn5: child: 192.168.202.0/24 === 40.0.4.0/24 TUNNEL,
dpdaction=restart
conn6: child: 192.168.202.0/24 === 40.0.5.0/24 TUNNEL,
dpdaction=restart
conn7: child: 192.168.202.0/24 === 40.0.6.0/24 TUNNEL,
dpdaction=restart
conn8: 50.0.13.2...50.0.13.1, dpddelay=10s
conn8: local: [192.168.255.129] uses public key authentication
conn8: cert: "C=DE, O=NokiaSiemensNetworks,
CN=FlexiTRSIntegration_FTM"
conn8: remote: [%any] uses any authentication
conn8: child: 192.168.202.0/24 === 40.0.7.0/24 TUNNEL,
dpdaction=restart
conn9: child: 192.168.202.0/24 === 40.0.8.0/24 TUNNEL,
dpdaction=restart
conn10: child: 192.168.202.0/24 === 40.0.9.0/24 TUNNEL,
dpdaction=restart
conn11: child: 14.1.2.0/24 === 40.0.10.0/24 TUNNEL, dpdaction=restart
Security Associations (3 up, 0 connecting):
conn3[1]: ESTABLISHED 20 minutes ago,
192.168.202.102[192.168.255.129]...50.0.1.1[C=DE, O=NokiaSiemensNetworks,
CN=FlexiTRSIntegration_IPSecGW]
conn3[1]: IKE SPIs: c68e8b6167f5688b_i* 687442e2087018d5_r, rekeying in
22 hours, public key reauthentication in 23 hours
conn3[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
conn3{1}: INSTALLED, TUNNEL, ESP SPIs: c415166a_i cc0bd209_o
conn3{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in
74 seconds
conn3{1}: 192.168.202.0/24 === 40.0.2.0/24
conn12{9}: INSTALLED, TUNNEL, ESP SPIs: cdd1e3dd_i ca9f9b68_o
conn12{9}: AES_CBC_128/HMAC_SHA1_96, 152 bytes_i (42s ago), 152 bytes_o
(42s ago), rekeying in 118 seconds
conn12{9}: 172.1.17.131/32 === 172.1.17.171/32
conn4{2}: INSTALLED, TUNNEL, ESP SPIs: cdaaea7d_i c0c4c3d9_o
conn4{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 3
minutes
conn4{2}: 192.168.202.0/24 === 40.0.3.0/24
conn5[2]: ESTABLISHED 19 minutes ago,
50.0.11.2[192.168.255.129]...50.0.11.1[C=DE, O=NokiaSiemensNetworks,
CN=FlexiTRSIntegration_IPSecGW]
conn5[2]: IKE SPIs: ab3ac182998ff94c_i* 7b4406f0cd14eb95_r, rekeying in
22 hours, public key reauthentication in 23 hours
conn5[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
conn5{3}: INSTALLED, TUNNEL, ESP SPIs: cad16a5b_i cce7f200_o
conn5{3}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in
31 seconds
conn5{3}: 192.168.202.0/24 === 40.0.4.0/24
conn7{6}: INSTALLED, TUNNEL, ESP SPIs: cf1507bd_i caabf605_o
conn7{6}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 8
seconds
conn7{6}: 192.168.202.0/24 === 40.0.6.0/24
conn6{5}: INSTALLED, TUNNEL, ESP SPIs: c3430e59_i cee3c29a_o
conn6{5}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in
55 seconds
conn6{5}: 192.168.202.0/24 === 40.0.5.0/24
conn8[3]: ESTABLISHED 19 minutes ago,
50.0.13.2[192.168.255.129]...50.0.13.1[C=DE, O=NokiaSiemensNetworks,
CN=FlexiTRSIntegration_IPSecGW]
conn8[3]: IKE SPIs: aac3b1fe38dcc0d6_i* e7e35f11f5f4d08d_r, rekeying in
22 hours, public key reauthentication in 23 hours
conn8[3]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
conn11{9}: INSTALLED, TUNNEL, ESP SPIs: cedee951_i c2612a16_o
conn11{9}: AES_CBC_128/HMAC_SHA1_96, 10795592 bytes_i (757s ago), 0
bytes_o, rekeying active
conn11{9}: 14.1.2.0/24 === 40.0.10.0/24
conn10{8}: INSTALLED, TUNNEL, ESP SPIs: c10d51cb_i cb1340e7_o
conn10{8}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in
54 seconds
conn10{8}: 192.168.202.0/24 === 40.0.9.0/24
conn8{4}: INSTALLED, TUNNEL, ESP SPIs: cb170eab_i cfa973c2_o
conn8{4}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in
76 seconds
conn8{4}: 192.168.202.0/24 === 40.0.7.0/24
conn9{7}: INSTALLED, TUNNEL, ESP SPIs: c335054c_i c5fb953a_o
conn9{7}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in
32 seconds
conn9{7}: 192.168.202.0/24 === 40.0.8.0/24
**********************************************
* *
* ip xfrm state *
* *
**********************************************
src 192.168.202.102 dst 50.0.1.1
proto esp spi 0xc0c4c3d9 reqid 2 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0xf05ef6c71582f6e892299c935ac70892e9acfd8d
enc cbc(aes) 0x4455cdf197ab7ef5868702a5e0591dc8
src 50.0.1.1 dst 192.168.202.102
proto esp spi 0xcdaaea7d reqid 2 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0xbdc6e936dc39e57e97553991577bfb9526401564
enc cbc(aes) 0xd5af43fceea9926c19444fed256f6206
sel src 40.0.3.0/24 dst 192.168.202.0/24
src 192.168.202.102 dst 50.0.0.1
proto esp spi 0xdc003fe0 reqid 16384 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0x6b6725ec96c5d323658f0f792e3ec391d1d008ff
enc cbc(aes) 0x5b83a6473668e960b7309f41073e7640
src 50.0.0.1 dst 192.168.202.102
proto esp spi 0xcb4c096a reqid 16384 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0xeaefc49f9125a211d58f2b1a90b1704fbd4bf6f0
enc cbc(aes) 0x1e84776857bc14be743cdc4b8164a954
src 192.168.202.102 dst 50.0.0.1
proto esp spi 0x471b6c97 reqid 16388 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0xa2cda682379ca01d76f26a10c418f179fd6b39d3
enc cbc(aes) 0x0de11fca62cf7fc5ac5566420c1d282d
src 50.0.0.1 dst 192.168.202.102
proto esp spi 0xcc87e23e reqid 16388 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0xd5df6945a9027b08273048a4b5dde3c1fa140418
enc cbc(aes) 0x5cddf584704dd1b740c6be35fd86d5a4
src 50.0.11.2 dst 50.0.11.1
proto esp spi 0xcee3c29a reqid 5 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0x8a755dad147b0cb16ae249a14b9fd2408a8e9add
enc cbc(aes) 0x9c362d02fb3d947ad7a62c95bde5a6f8
src 50.0.11.1 dst 50.0.11.2
proto esp spi 0xc3430e59 reqid 5 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0x6a4597acabb27e13fa7cde112443fe785f343f12
enc cbc(aes) 0xcce500ce2b6563587aadaed2ead084b0
sel src 40.0.5.0/24 dst 192.168.202.0/24
src 192.168.202.102 dst 50.0.1.1
proto esp spi 0xca9f9b68 reqid 9 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0x3039e224c02a2310c1584f5bc671bd9a5272b5d9
enc cbc(aes) 0x48661907c31b78390e05f6934449cbb5
src 50.0.1.1 dst 192.168.202.102
proto esp spi 0xcdd1e3dd reqid 9 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0xd2d1eae7088095bf9c53c7e31aeb54741c07fa60
enc cbc(aes) 0xd65cd564c12093761a23ea870042aeba
sel src 172.1.17.171/32 dst 172.1.17.131/32
src 192.168.202.102 dst 50.0.1.1
proto esp spi 0xcc0bd209 reqid 1 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0x2ff4e4ff00fe9f4ddf2c4c016f8ccef22942c6d2
enc cbc(aes) 0x26cd9f81021e9e482a3d92f84bd5065c
src 50.0.1.1 dst 192.168.202.102
proto esp spi 0xc415166a reqid 1 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0x0eebba88f7ffd82c3107faac25e664aadb40c434
enc cbc(aes) 0x70c7b46823d07580f143b48e83d8cdf0
sel src 40.0.2.0/24 dst 192.168.202.0/24
src 50.0.13.2 dst 50.0.13.1
proto esp spi 0xc5fb953a reqid 7 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0xcd7175a8e0c7b9b1c45b43b5a1c91fe8cae281ca
enc cbc(aes) 0x57939d8ea1116ac8a01c3d3ade0c2a9c
src 50.0.13.1 dst 50.0.13.2
proto esp spi 0xc335054c reqid 7 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0xc9a823f39f8af48097785548b547b3d1d2cccf7c
enc cbc(aes) 0x3e0a5bb5368dcb4f331852f12d868388
sel src 40.0.8.0/24 dst 192.168.202.0/24
src 50.0.13.2 dst 50.0.13.1
proto esp spi 0xcfa973c2 reqid 4 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0x7784620591fa2093470d33fe7b9f80261175aacf
enc cbc(aes) 0xd046f5aa5e9f696836131c7104ad4993
src 50.0.13.1 dst 50.0.13.2
proto esp spi 0xcb170eab reqid 4 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0x07fc86ca53a7541ee8debec8b8c20e3c07379752
enc cbc(aes) 0x97bf1e4c158d427f8aacadf7d7edcc95
sel src 40.0.7.0/24 dst 192.168.202.0/24
src 50.0.11.2 dst 50.0.11.1
proto esp spi 0xcaabf605 reqid 6 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0xc59165b618e73474c8a664608ae105870e85d7c4
enc cbc(aes) 0xb381d199591b923655d9c7e4e85d716a
src 50.0.11.1 dst 50.0.11.2
proto esp spi 0xcf1507bd reqid 6 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0xce554a0185d4b6515f5e4c58deec378c9bfa3c5a
enc cbc(aes) 0x06bc11476a2a865fcb26709cb6d6b3b2
sel src 40.0.6.0/24 dst 192.168.202.0/24
src 50.0.13.2 dst 50.0.13.1
proto esp spi 0xcb1340e7 reqid 8 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0x7e297e16c00db41ef1c8a91990752c6115e17601
enc cbc(aes) 0x6fae7fe4c291726ac1e1fea90824639c
src 50.0.13.1 dst 50.0.13.2
proto esp spi 0xc10d51cb reqid 8 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0xcb41be904f2830715bffb88c615e6fe55f996ce6
enc cbc(aes) 0x6d0d929a2f5bcf6f51a358ffdf65532f
sel src 40.0.9.0/24 dst 192.168.202.0/24
src 50.0.11.2 dst 50.0.11.1
proto esp spi 0xcce7f200 reqid 3 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0xfa62250dbd2ccd5149068c7274558ab24ae2280d
enc cbc(aes) 0xdaeb61f31885ad83a7bdc9d2a5553bf1
src 50.0.11.1 dst 50.0.11.2
proto esp spi 0xcad16a5b reqid 3 mode tunnel
replay-window 0 flag 20
auth hmac(sha1) 0x7935d0b8b2ee4d6ddb69b828f2d0dda9a2453fd5
enc cbc(aes) 0x3c47f60d8549f513dafc969e8705478d
sel src 40.0.4.0/24 dst 192.168.202.0/24
**********************************************
* *
* ip xfrm policy *
* *
**********************************************
src 40.0.3.0/24 dst 192.168.202.0/24
dir fwd priority 4
tmpl src 50.0.1.1 dst 192.168.202.102
proto esp reqid 2 mode tunnel
src 40.0.3.0/24 dst 192.168.202.0/24
dir in priority 4
tmpl src 50.0.1.1 dst 192.168.202.102
proto esp reqid 2 mode tunnel
src 192.168.202.0/24 dst 40.0.3.0/24
dir out priority 4
tmpl src 192.168.202.102 dst 50.0.1.1
proto esp reqid 2 mode tunnel
src 192.168.202.0/24 dst 40.0.0.0/24
dir out priority 1
tmpl src 192.168.202.102 dst 50.0.0.1
proto esp reqid 16384 mode tunnel
src 40.0.0.0/24 dst 192.168.202.0/24
dir fwd priority 1
tmpl src 50.0.0.1 dst 192.168.202.102
proto esp reqid 16384 mode tunnel
src 40.0.0.0/24 dst 192.168.202.0/24
dir in priority 1
tmpl src 50.0.0.1 dst 192.168.202.102
proto esp reqid 16384 mode tunnel
src 192.168.202.0/24 dst 40.0.1.0/24
dir out priority 2
tmpl src 192.168.202.102 dst 50.0.0.1
proto esp reqid 16388 mode tunnel
src 40.0.1.0/24 dst 192.168.202.0/24
dir fwd priority 2
tmpl src 50.0.0.1 dst 192.168.202.102
proto esp reqid 16388 mode tunnel
src 40.0.1.0/24 dst 192.168.202.0/24
dir in priority 2
tmpl src 50.0.0.1 dst 192.168.202.102
proto esp reqid 16388 mode tunnel
src 40.0.5.0/24 dst 192.168.202.0/24
dir fwd priority 6
tmpl src 50.0.11.1 dst 50.0.11.2
proto esp reqid 5 mode tunnel
src 40.0.5.0/24 dst 192.168.202.0/24
dir in priority 6
tmpl src 50.0.11.1 dst 50.0.11.2
proto esp reqid 5 mode tunnel
src 192.168.202.0/24 dst 40.0.5.0/24
dir out priority 6
tmpl src 50.0.11.2 dst 50.0.11.1
proto esp reqid 5 mode tunnel
src 172.1.17.171/32 dst 172.1.17.131/32
dir fwd priority 12
tmpl src 50.0.1.1 dst 192.168.202.102
proto esp reqid 9 mode tunnel
src 172.1.17.171/32 dst 172.1.17.131/32
dir in priority 12
tmpl src 50.0.1.1 dst 192.168.202.102
proto esp reqid 9 mode tunnel
src 172.1.17.131/32 dst 172.1.17.171/32
dir out priority 12
tmpl src 192.168.202.102 dst 50.0.1.1
proto esp reqid 9 mode tunnel
src 40.0.2.0/24 dst 192.168.202.0/24
dir fwd priority 3
tmpl src 50.0.1.1 dst 192.168.202.102
proto esp reqid 1 mode tunnel
src 40.0.2.0/24 dst 192.168.202.0/24
dir in priority 3
tmpl src 50.0.1.1 dst 192.168.202.102
proto esp reqid 1 mode tunnel
src 192.168.202.0/24 dst 40.0.2.0/24
dir out priority 3
tmpl src 192.168.202.102 dst 50.0.1.1
proto esp reqid 1 mode tunnel
src 40.0.8.0/24 dst 192.168.202.0/24
dir fwd priority 9
tmpl src 50.0.13.1 dst 50.0.13.2
proto esp reqid 7 mode tunnel
src 40.0.8.0/24 dst 192.168.202.0/24
dir in priority 9
tmpl src 50.0.13.1 dst 50.0.13.2
proto esp reqid 7 mode tunnel
src 192.168.202.0/24 dst 40.0.8.0/24
dir out priority 9
tmpl src 50.0.13.2 dst 50.0.13.1
proto esp reqid 7 mode tunnel
src 40.0.7.0/24 dst 192.168.202.0/24
dir fwd priority 8
tmpl src 50.0.13.1 dst 50.0.13.2
proto esp reqid 4 mode tunnel
src 40.0.7.0/24 dst 192.168.202.0/24
dir in priority 8
tmpl src 50.0.13.1 dst 50.0.13.2
proto esp reqid 4 mode tunnel
src 192.168.202.0/24 dst 40.0.7.0/24
dir out priority 8
tmpl src 50.0.13.2 dst 50.0.13.1
proto esp reqid 4 mode tunnel
src 40.0.6.0/24 dst 192.168.202.0/24
dir fwd priority 7
tmpl src 50.0.11.1 dst 50.0.11.2
proto esp reqid 6 mode tunnel
src 40.0.6.0/24 dst 192.168.202.0/24
dir in priority 7
tmpl src 50.0.11.1 dst 50.0.11.2
proto esp reqid 6 mode tunnel
src 192.168.202.0/24 dst 40.0.6.0/24
dir out priority 7
tmpl src 50.0.11.2 dst 50.0.11.1
proto esp reqid 6 mode tunnel
src 40.0.9.0/24 dst 192.168.202.0/24
dir fwd priority 10
tmpl src 50.0.13.1 dst 50.0.13.2
proto esp reqid 8 mode tunnel
src 40.0.9.0/24 dst 192.168.202.0/24
dir in priority 10
tmpl src 50.0.13.1 dst 50.0.13.2
proto esp reqid 8 mode tunnel
src 192.168.202.0/24 dst 40.0.9.0/24
dir out priority 10
tmpl src 50.0.13.2 dst 50.0.13.1
proto esp reqid 8 mode tunnel
src 40.0.4.0/24 dst 192.168.202.0/24
dir fwd priority 5
tmpl src 50.0.11.1 dst 50.0.11.2
proto esp reqid 3 mode tunnel
src 40.0.4.0/24 dst 192.168.202.0/24
dir in priority 5
tmpl src 50.0.11.1 dst 50.0.11.2
proto esp reqid 3 mode tunnel
src 192.168.202.0/24 dst 40.0.4.0/24
dir out priority 5
tmpl src 50.0.11.2 dst 50.0.11.1
proto esp reqid 3 mode tunnel
src 40.0.10.0/24 dst 14.1.2.0/24
dir fwd priority 11
tmpl src 50.0.13.1 dst 50.0.13.2
proto esp reqid 9 mode tunnel
src 40.0.10.0/24 dst 14.1.2.0/24
dir in priority 11
tmpl src 50.0.13.1 dst 50.0.13.2
proto esp reqid 9 mode tunnel
src 14.1.2.0/24 dst 40.0.10.0/24
dir out priority 11
tmpl src 50.0.13.2 dst 50.0.13.1
proto esp reqid 9 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src ::/0 dst ::/0
dir 3 priority 0
src ::/0 dst ::/0
dir 4 priority 0
src ::/0 dst ::/0
dir 3 priority 0
src ::/0 dst ::/0
dir 4 priority 0
src ::/0 dst ::/0
dir 3 priority 0
src ::/0 dst ::/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 14.1.2.1/24 dst 0.0.0.0/0
dir fwd priority 0
src 0.0.0.0/0 dst 14.1.2.1/24
dir out priority 0
src 10.29.8.40/32 dst 0.0.0.0/0
dir out priority 0
src 192.168.254.0/23 dst 192.168.254.0/23
dir out priority 0
src 192.168.254.0/23 dst 192.168.254.0/23
dir in priority 0
src 192.168.253.0/24 dst 192.168.253.0/24
dir out priority 0
src 192.168.253.0/24 dst 192.168.253.0/24
dir in priority 0
src 192.168.255.0/24 dst 192.168.255.0/24
dir out priority 0
src 192.168.255.0/24 dst 192.168.255.0/24
dir in priority 0
**********************************************
* *
* /etc/ipsec.secrets *
* *
**********************************************
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA "privkey.crk"
**********************************************
* *
* /etc/ipsec.conf *
* *
**********************************************
config setup
plutostart=yes
plutodebug=none
nat_traversal=yes
uniqueids=no
charonstart=yes
charondebug="dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0, enc -1,
lib -1"
ca rootca0
cacert=rootCaCert_0.pem
conn %default
leftcert=/etc/ipsec.d/certs/btsCert.pem
auto=start
pfs=no
keyingtries=%forever
mobike=no
conn conn1
type=tunnel
leftsubnet=192.168.202.102/24
rightsubnet=40.0.0.0/24
left=192.168.202.102
right=50.0.0.1
keyexchange=ikev1
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
ikelifetime=83668s
esp=aes128-sha1,3des-sha1!
authby=pubkey
rightid=%any
leftid="192.168.255.129"
keylife=450s
dpdaction=restart
dpddelay=10
dpdtimeout=120
rekeyfuzz=50%
rekeymargin=180s
conn conn2
type=tunnel
leftsubnet=192.168.202.102/24
rightsubnet=40.0.1.0/24
left=192.168.202.102
right=50.0.0.1
keyexchange=ikev1
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
ikelifetime=83668s
esp=aes128-sha1,3des-sha1!
authby=pubkey
rightid=%any
leftid="192.168.255.129"
keylife=450s
dpdaction=restart
dpddelay=10
dpdtimeout=120
rekeyfuzz=50%
rekeymargin=180s
conn conn3
type=tunnel
leftsubnet=192.168.202.102/24
rightsubnet=40.0.2.0/24
left=192.168.202.102
right=50.0.1.1
keyexchange=ikev2
reauth=no
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
ikelifetime=83668s
esp=aes128-sha1,3des-sha1!
authby=pubkey
rightid=%any
leftid="192.168.255.129"
keylife=450s
dpdaction=restart
dpddelay=10
dpdtimeout=120
rekeyfuzz=50%
rekeymargin=180s
conn conn4
type=tunnel
leftsubnet=192.168.202.102/24
rightsubnet=40.0.3.0/24
left=192.168.202.102
right=50.0.1.1
keyexchange=ikev2
reauth=no
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
ikelifetime=83668s
esp=aes128-sha1,3des-sha1!
authby=pubkey
rightid=%any
leftid="192.168.255.129"
keylife=450s
dpdaction=restart
dpddelay=10
dpdtimeout=120
rekeyfuzz=50%
rekeymargin=180s
conn conn5
type=tunnel
leftsubnet=192.168.202.102/24
rightsubnet=40.0.4.0/24
left=50.0.11.2
right=50.0.11.1
keyexchange=ikev2
reauth=no
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
ikelifetime=83668s
esp=aes128-sha1,3des-sha1!
authby=pubkey
rightid=%any
leftid="192.168.255.129"
keylife=450s
dpdaction=restart
dpddelay=10
dpdtimeout=120
rekeyfuzz=50%
rekeymargin=180s
conn conn6
type=tunnel
leftsubnet=192.168.202.102/24
rightsubnet=40.0.5.0/24
left=50.0.11.2
right=50.0.11.1
keyexchange=ikev2
reauth=no
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
ikelifetime=83668s
esp=aes128-sha1,3des-sha1!
authby=pubkey
rightid=%any
leftid="192.168.255.129"
keylife=450s
dpdaction=restart
dpddelay=10
dpdtimeout=120
rekeyfuzz=50%
rekeymargin=180s
conn conn7
type=tunnel
leftsubnet=192.168.202.102/24
rightsubnet=40.0.6.0/24
left=50.0.11.2
right=50.0.11.1
keyexchange=ikev2
reauth=no
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
ikelifetime=83668s
esp=aes128-sha1,3des-sha1!
authby=pubkey
rightid=%any
leftid="192.168.255.129"
keylife=450s
dpdaction=restart
dpddelay=10
dpdtimeout=120
rekeyfuzz=50%
rekeymargin=180s
conn conn8
type=tunnel
leftsubnet=192.168.202.102/24
rightsubnet=40.0.7.0/24
left=50.0.13.2
right=50.0.13.1
keyexchange=ikev2
reauth=no
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
ikelifetime=83668s
esp=aes128-sha1,3des-sha1!
authby=pubkey
rightid=%any
leftid="192.168.255.129"
keylife=450s
dpdaction=restart
dpddelay=10
dpdtimeout=120
rekeyfuzz=50%
rekeymargin=180s
conn conn9
type=tunnel
leftsubnet=192.168.202.102/24
rightsubnet=40.0.8.0/24
left=50.0.13.2
right=50.0.13.1
keyexchange=ikev2
reauth=no
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
ikelifetime=83668s
esp=aes128-sha1,3des-sha1!
authby=pubkey
rightid=%any
leftid="192.168.255.129"
keylife=450s
dpdaction=restart
dpddelay=10
dpdtimeout=120
rekeyfuzz=50%
rekeymargin=180s
conn conn10
type=tunnel
leftsubnet=192.168.202.102/24
rightsubnet=40.0.9.0/24
left=50.0.13.2
right=50.0.13.1
keyexchange=ikev2
reauth=no
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
ikelifetime=83668s
esp=aes128-sha1,3des-sha1!
authby=pubkey
rightid=%any
leftid="192.168.255.129"
keylife=450s
dpdaction=restart
dpddelay=10
dpdtimeout=120
rekeyfuzz=50%
rekeymargin=180s
conn conn11
type=tunnel
leftsubnet=14.1.2.0/24
rightsubnet=40.0.10.0/24
left=50.0.13.2
right=50.0.13.1
keyexchange=ikev2
reauth=no
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
ikelifetime=83668s
esp=aes128-sha1,3des-sha1!
authby=pubkey
rightid=%any
leftid="192.168.255.129"
keylife=450s
dpdaction=restart
dpddelay=10
dpdtimeout=120
rekeyfuzz=50%
rekeymargin=180s
conn conn12
type=tunnel
leftsubnet=172.1.17.131/24
rightsubnet=172.1.17.171/24
left=192.168.202.102
right=50.0.1.1
keyexchange=ikev2
reauth=no
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
ikelifetime=83668s
esp=aes128-sha1,3des-sha1!
authby=pubkey
rightid=%any
leftid="192.168.255.129"
keylife=450s
dpdaction=restart
dpddelay=10
dpdtimeout=120
rekeyfuzz=50%
rekeymargin=180s
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
