[strongSwan] Strongswan VPN Profile for Android.

[Aanand Ramachandran]

Hi
I followed the instructions at the following URL to create a Strongswan VPN 
client profile for Android - 
https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClientProfiles
My profile looks very similar to the example profiles on this page. I named the 
file with a .sswan extension and emailed it to a user. The user opened the 
email on his Android phone. He already had the Strongswan client app installed 
on his phone. However, he couldn't import the profile into the app and use it 
to dial a VPN connection. What could be the problem? The link above talks about 
publishing profiles through a web page but clearly provides an email attachment 
option too. The link also refers to a file media type. I didn't do anything 
specific to set the file's media type. Could that be the reason why the import 
is failing? How do I set the media type for a file?

Thanks for your help.

Aanand [MSFT]

Re: [strongSwan] charon unmet dependency on native android build

[Nathan Bahr]

Just another update. I decided to try including all the conf files directly

include strongswan.d/charon/nonce.conf
include 

And that worked, where doing includes with wildcard (include 
/strongswan.d/charon/*.conf) does not work.
Still no indication on why it fails when I look at the logs. I added the 
flag --debug-cfg 4 and didn't get any extra logging that indicated any 
issues.


On 05/26/2017 10:43 AM, Nathan Bahr wrote:

Thanks Tobias,

So I changed my strongswan.conf file so that charon.load_moduler = no 
and left everything else the same and the charon daemon was finally 
able to start up!


After that I decided to consolidate all the configuration into the 
strongswan.conf file and re-enabled load_modular and it continued to 
work so it definitely seems that including conf files is the problem.


For now this will work for me so I will continue with testing it out 
and making sure everything works.
There is one issue that popped up now that charon was able to start 
successfully.

I get these netlink errors.

00[LIB]   loading feature CUSTOM:kernel-ipsec in plugin 
'kernel-netlink'

00[KNL] sending XFRM_MSG_GETSPDINFO 201: => 20 bytes @ 0xbeba6580
00[KNL]0: 14 00 00 00 25 00 01 00 C9 00 00 00 C1 1E 00 00 
%...

00[KNL]   16: 00 00 00 00 
00[KNL] netlink write error: Invalid argument
00[KNL] sending XFRM_MSG_GETSPDINFO 202: => 20 bytes @ 0xbeba6580
00[KNL]0: 14 00 00 00 25 00 01 00 CA 00 00 00 C1 1E 00 00 
%...

00[KNL]   16: 00 00 00 00 
00[KNL] netlink write error: Invalid argument

My kernel should have all the right modules enabled, and all the other 
netlink messaging that I see in the log is fine.
It doesn't stop charon from starting though so for now I will push 
forward and see if I can establish a connection but any insight into 
why including conf files is failing would be appreciated because it 
does make it easier to configure connections.


One last thing, cross compiling strongswan for android was actually a 
lot easier than I expected, but besides adding the -llog flag for 
android logging, there was only one other hack I had to make in order 
for the build to be correct. On my target device, sh is located at 
/system/bin/sh, but in the ipsec script, the makefile is hardcoded to 
replace @IPSEC_SHELL@ with /bin/sh, so I just updated the makefile 
with the correct path for my environment. Being able to set that via a 
configure flag though would probably be useful.


Thanks again for the help!

On 05/26/2017 03:10 AM, Tobias Brunner wrote:

Hi Nathan,


The output I get is (I get the same log output if I do ipsec start
instead of executing charon directly):

root@kltetmo:/ # charon
00[DMN] Starting IKE charon daemon (strongSwan 5.5.2, Linux 3.4.0, 
armv7l)

00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet
dependency: NONCE_GEN
00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon'
has unmet dependency: HASHER:HASH_SHA1
00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 
'charon'

has unmet dependency: HASHER:HASH_SHA1
00[LIB] failed to load 3 critical plugin features
00[DMN] initialization failed - aborting charon

You could try to increase the log level for the LIB and perhaps CFG
subsystems [1].


(By the way, I had to add the -llog flag to LDFLAGS because
--enable-android-log didn't do it for me automatically, not sure if 
that

is an issue or I have something set up wrong.)

I've pushed a fix for that to master.


I am using the same conf files that were generated from the make
install, so strongswan.conf has load_modular = yes and includes all the
plugin conf files. Each plugin conf file has load = yes.

This could be the problem, perhaps resolving the plugin list fails (e.g.
because including the files fails), which would also explain this:


All the other executables seem to load ok, just running with --help to
test loading libraries. For example this is the output of pki:

This tool uses a hard-coded plugin list determined at compile-time.
With the default config charon (and some of its charon-* derivatives) is
the only program that uses the modular configuration.  So you could also
try to disable charon.load_modular in strongswan.conf so charon's
hard-coded default plugin list is used.

Regards,
Tobias

[1]https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration 







--
Nathan Bahr
Architecture Technology Corp.
952-829-5864 x174

Re: [strongSwan] IPv6 Remote Access

[Noel Kuntze]

Hello Dusan,

On 26.05.2017 16:52, Dusan Ilic wrote:
> Hi everyone,
>
> My ISP have just recently enabled IPv6 in their network (well, 6RD aactually) 
> and I have it confiogured and working at the site.
> I would now also like to enable it on my remote access VPN in Strongswan too, 
> so I made a try with the following config however it doesnt seem work. 
> According to Strongswan log the client asks for ipv6 (Android in this case) 
> and get's assigned one (global from my public prefix).
>
> leftsubnet=0.0.0.0/0,2000::/3 (also tried with ::/0)
> rightsourceip=%dhcp,2001:2002:5ae1:c206:4466:d122:xxx:xxx
>
> This is a test, so that's why Im only assigning one single IPv6 adress for 
> the time being. IPv4 works as expected, but I can't neither reach an IPv6 
> internet site nor ping the gateway or the Android client from the 
> gateway/clients behind the gateway.

Check if the IPv6 packets make it to the strongSwan host. And then make sure 
those IPv6 addresses are routed over the strongSwan host. If the subnet they're 
from is on the link,
you'll need to create do proxy NDP on the strongSwan host with either static 
records in the NDP table on the strongSwan host or by using and configuring 
ndppd[1] on the strongSwan host.
>
> What I'm reacting on is that a route gets created for the IPv4 adress in my 
> routing table, but none for the IPv6 adress. Also checked with "ip -6 route".
> Is this a routing problem possibly, or maybe an firewall (iptables) problem?
The latter maybe. IPv6 traffic goes through ip6tables, not iptables.

> Just to be clear, the client is connecting to the Strongswan server with 
> IPv4, should receive an IPv6 global adress inside the tunnel and then my 
> Strongswan server should route it out on the internet (through the 
> 6RD-tunnel).
>
Read the FAQ[2], too.

Kind regards

Noel

[1] https://github.com/DanielAdolfsson/ndppd
[2] 
https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#IPsec-and-iptablesnftables





signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] CONFIGURATION OF MULTIPLE CHILD SAs IN IPSEC.CONF FILE

[Noel Kuntze]

Hi,

Doing it in iptables is a bad idea, because you then need to bind the rules to 
the different tunnels by use of the policy match module with --tunnel-src, 
--tunnel-dst or --reqid.
You either need to use static reqids (which you can't if there are several 
peers for the same conn) or use the --tunnel-src and --tunnel-dst arguments, 
where you need to
add and remove rules dynamically depending on the local and remote IP. You also 
need to apply those rules in *filter INPUT, FORWARD and OUTPUT, because you 
need to
restrict access to and from the remote peer, not just for traffic that is 
routed over this host. And even then, the policy is mandatory not optional, so 
you end up
basically blackholing or blacklisting the traffic between the endpoints which 
is not allowed, independent on if you actually intended the ACL to apply to the 
tunnel or not.

So just say no to that. You could construct passthrough policies around the TS 
you actually want to tunnel, but you'll need to negotiate a larger traffic 
selector
than you actually need. There's no way around that. With passthrough policies, 
you won't need to do the fancy iptables stuff (having to potentially play with 
marks, too)
and don't get the blackhole problem.

Kind regards

Noel

On 26.05.2017 16:54, Eric Germann wrote:
> You can’t do it in Strongswan directly, but if you combine SS + iptables you 
> can (assuming Linux here, but concept is same).
> 
> rightsubnet = 172.27.186.64/28# This puts 172.27.186.64 -> 80 in the 
> tunnel scope
> leftsubnet = 172.30.200.172/29# This puts 172.30.200.172 -> 180 in 
> the tunnel scope
> 
> 
> Then in iptables, do explicit FORWARD statement for the hosts (/32’s) you 
> want to forward.  You can get as fancy or simple as you want, from all 
> ports/protocols to individual port/protocol combinations with state tracking.
> 
> Let SS do the forwarding/crypto and the FW do the access control.
> 
> EKG
> 
>> On May 26, 2017, at 8:27 AM, Noel Kuntze 
>>  wrote:
>>
>> Hello Chris,
>>
>> You can't.
>>
>> Kind regards,
>> Noel
>>
>> On 26.05.2017 10:30, christopher kamutumwa wrote:
>>> Hello all,
>>>
>>> I have a query how can i configure multiple ChildSAs in a range on ips in 
>>> the ipsec.conf file e.g below ips
>>>
>>> right subnet = 172.27.186.71-74
>>> right subnet = 172.27.186.64-66
>>> left subnet = 172.30.200.172-176
>>>
>>> will appreciate any help rendered
>>>
>>> regards
>>>
>>> chris
>>>
>>>
>>
>> <0x0739AD6C.asc>
> 



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] charon unmet dependency on native android build

[Nathan Bahr]

Thanks Tobias,

So I changed my strongswan.conf file so that charon.load_moduler = no 
and left everything else the same and the charon daemon was finally able 
to start up!


After that I decided to consolidate all the configuration into the 
strongswan.conf file and re-enabled load_modular and it continued to 
work so it definitely seems that including conf files is the problem.


For now this will work for me so I will continue with testing it out and 
making sure everything works.
There is one issue that popped up now that charon was able to start 
successfully.

I get these netlink errors.

00[LIB]   loading feature CUSTOM:kernel-ipsec in plugin 'kernel-netlink'
00[KNL] sending XFRM_MSG_GETSPDINFO 201: => 20 bytes @ 0xbeba6580
00[KNL]0: 14 00 00 00 25 00 01 00 C9 00 00 00 C1 1E 00 00 
%...

00[KNL]   16: 00 00 00 00  
00[KNL] netlink write error: Invalid argument
00[KNL] sending XFRM_MSG_GETSPDINFO 202: => 20 bytes @ 0xbeba6580
00[KNL]0: 14 00 00 00 25 00 01 00 CA 00 00 00 C1 1E 00 00 
%...

00[KNL]   16: 00 00 00 00  
00[KNL] netlink write error: Invalid argument

My kernel should have all the right modules enabled, and all the other 
netlink messaging that I see in the log is fine.
It doesn't stop charon from starting though so for now I will push 
forward and see if I can establish a connection but any insight into why 
including conf files is failing would be appreciated because it does 
make it easier to configure connections.


One last thing, cross compiling strongswan for android was actually a 
lot easier than I expected, but besides adding the -llog flag for 
android logging, there was only one other hack I had to make in order 
for the build to be correct. On my target device, sh is located at 
/system/bin/sh, but in the ipsec script, the makefile is hardcoded to 
replace @IPSEC_SHELL@ with /bin/sh, so I just updated the makefile with 
the correct path for my environment. Being able to set that via a 
configure flag though would probably be useful.


Thanks again for the help!

On 05/26/2017 03:10 AM, Tobias Brunner wrote:

Hi Nathan,


The output I get is (I get the same log output if I do ipsec start
instead of executing charon directly):

root@kltetmo:/ # charon
00[DMN] Starting IKE charon daemon (strongSwan 5.5.2, Linux 3.4.0, armv7l)
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet
dependency: NONCE_GEN
00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon'
has unmet dependency: HASHER:HASH_SHA1
00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon'
has unmet dependency: HASHER:HASH_SHA1
00[LIB] failed to load 3 critical plugin features
00[DMN] initialization failed - aborting charon

You could try to increase the log level for the LIB and perhaps CFG
subsystems [1].


(By the way, I had to add the -llog flag to LDFLAGS because
--enable-android-log didn't do it for me automatically, not sure if that
is an issue or I have something set up wrong.)

I've pushed a fix for that to master.


I am using the same conf files that were generated from the make
install, so strongswan.conf has load_modular = yes and includes all the
plugin conf files. Each plugin conf file has load = yes.

This could be the problem, perhaps resolving the plugin list fails (e.g.
because including the files fails), which would also explain this:


All the other executables seem to load ok, just running with --help to
test loading libraries. For example this is the output of pki:

This tool uses a hard-coded plugin list determined at compile-time.
With the default config charon (and some of its charon-* derivatives) is
the only program that uses the modular configuration.  So you could also
try to disable charon.load_modular in strongswan.conf so charon's
hard-coded default plugin list is used.

Regards,
Tobias

[1]https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration



--
Nathan Bahr
Architecture Technology Corp.
952-829-5864 x174

Re: [strongSwan] CONFIGURATION OF MULTIPLE CHILD SAs IN IPSEC.CONF FILE

[Eric Germann]

You can’t do it in Strongswan directly, but if you combine SS + iptables you 
can (assuming Linux here, but concept is same).

rightsubnet = 172.27.186.64/28  # This puts 172.27.186.64 -> 80 in the tunnel 
scope
leftsubnet = 172.30.200.172/29  # This puts 172.30.200.172 -> 180 in the tunnel 
scope


Then in iptables, do explicit FORWARD statement for the hosts (/32’s) you want 
to forward.  You can get as fancy or simple as you want, from all 
ports/protocols to individual port/protocol combinations with state tracking.

Let SS do the forwarding/crypto and the FW do the access control.

EKG

> On May 26, 2017, at 8:27 AM, Noel Kuntze 
>  wrote:
> 
> Hello Chris,
> 
> You can't.
> 
> Kind regards,
> Noel
> 
> On 26.05.2017 10:30, christopher kamutumwa wrote:
>> Hello all,
>> 
>> I have a query how can i configure multiple ChildSAs in a range on ips in 
>> the ipsec.conf file e.g below ips
>> 
>> right subnet = 172.27.186.71-74
>> right subnet = 172.27.186.64-66
>> left subnet = 172.30.200.172-176
>> 
>> will appreciate any help rendered
>> 
>> regards
>> 
>> chris
>> 
>> 
> 
> <0x0739AD6C.asc>



signature.asc
Description: Message signed with OpenPGP

[strongSwan] IPv6 Remote Access

[Dusan Ilic]

Hi everyone,

My ISP have just recently enabled IPv6 in their network (well, 6RD 
aactually) and I have it confiogured and working at the site.
I would now also like to enable it on my remote access VPN in Strongswan 
too, so I made a try with the following config however it doesnt seem 
work. According to Strongswan log the client asks for ipv6 (Android in 
this case) and get's assigned one (global from my public prefix).


leftsubnet=0.0.0.0/0,2000::/3 (also tried with ::/0)
rightsourceip=%dhcp,2001:2002:5ae1:c206:4466:d122:xxx:xxx

This is a test, so that's why Im only assigning one single IPv6 adress 
for the time being. IPv4 works as expected, but I can't neither reach an 
IPv6 internet site nor ping the gateway or the Android client from the 
gateway/clients behind the gateway.


What I'm reacting on is that a route gets created for the IPv4 adress in 
my routing table, but none for the IPv6 adress. Also checked with "ip -6 
route".

Is this a routing problem possibly, or maybe an firewall (iptables) problem?
Just to be clear, the client is connecting to the Strongswan server with 
IPv4, should receive an IPv6 global adress inside the tunnel and then my 
Strongswan server should route it out on the internet (through the 
6RD-tunnel).

Re: [strongSwan] Rigthid diferent to right problem.

[Noel Kuntze]

Hello Jordi,



On 26.05.2017 07:49, Jordi Casanellas wrote:
> The problem I have is that the client has virtual vpbox with Movistar.
> In the 3 vpn the "rightid" is the same to sign
What is "vpbox" and "Movistar"?
rightid from whose perspective? For IPsec VPNs to work correctly, remote peers 
have to have distinct IDs.
>
> So to be able to lift the vpn I need to sign with a different ip than the
> one assigned.
How do you mean that? Which is assigned? Sign what? Do you mean to write "Sign 
in"?

>
> Currently I have it working in this way from the Cisco to the provider
> "Gigas".
>
> But I want to pass it on to strongswan
>
> In the file configuration file.conf is the following:
>
>
> ---START CONFIG ---
> config setup
>
> conn client
>
> left=81.29.122.250 
> leftsubnet=192.168.100.0/24 
> leftid=81.29.122.250 
>
> right=86.45.281.11
> rightid=217.124.116.61 (is necessary for sign) 
> rightsubnet=192.168.202.0/24 
> #Encriptacio
> keyingtries=0

> esp=3des-sha1-modp1024
> ike=3des-sha1-modp1024
That cipher suite is deprecated and insecure.
From the SecurityRecommendations page[1]:
>
>
> SWEET32
>
> Because of the attack called SWEET32 , 3DES and 
> BLOWFISH are now considered insecure.
> Use AES instead. 3DES and BLOWFISH use a block size of 64 bits. That enables 
> birthday attacks on the encrypted data packets. 
> AES uses a block size of 128 bits, which is secure.
>
(SWEET32 links to https://sweet32.info/)
> authby=secret
> keyexchange=ikev1
> rekey=no
>
> #lifetime
>
> ikelifetime=60s
> lifetime=8h
> auto=route
> - END CONFIG 
>
> I'm test with rightid=%any and not working
> I'm test with rightid same with right parameter its working but not work
> traffic and tunnel not up.
>
> Im found this plugin duplicheck
> https://wiki.strongswan.org/projects/strongswan/wiki/Duplicheck#Behavior 
> 
> But i'm need sign vpn with another ip.
>
>
> ERROR Syslog ---
> May 25 18:36:22 CL2017032010001 charon: 10[ENC] parsed INFORMATIONAL_V1
> request 2895156184  [ HASH N((24576)) ]
> May 25 18:36:22 CL2017032010001 charon: 10[IKE] received (24576) notify
> May 25 18:36:22 CL2017032010001 charon: 11[NET] received packet: from
> xx.xx.xxx.xx[4500] to xx.xx.xx.xx[4500] (356 bytes)
> May 25 18:36:22 CL2017032010001 charon: 11[ENC] parsed INFORMATIONAL_V1
> request 1735012586 [ HASH N(INVAL_ID) ]
> May 25 18:36:22 CL2017032010001 charon: 11[IKE] received
> INVALID_ID_INFORMATION error notify
That means that the remote peer didn't like the left- and rightsubnet settings.
Read the logs of the remote peer. There is no more knowledge to gain in reading 
charon's logs.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] CONFIGURATION OF MULTIPLE CHILD SAs IN IPSEC.CONF FILE

[Noel Kuntze]

Hello Chris,

You can't.

Kind regards,
Noel

On 26.05.2017 10:30, christopher kamutumwa wrote:
> Hello all,
>
> I have a query how can i configure multiple ChildSAs in a range on ips in the 
> ipsec.conf file e.g below ips
>
> right subnet = 172.27.186.71-74
> right subnet = 172.27.186.64-66
> left subnet = 172.30.200.172-176
>
> will appreciate any help rendered
>
> regards
>
> chris
>
>



0x0739AD6C.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

[strongSwan] CONFIGURATION OF MULTIPLE CHILD SAs IN IPSEC.CONF FILE

[christopher kamutumwa]

Hello all,

I have a query how can i configure multiple ChildSAs in a range on ips in
the ipsec.conf file e.g below ips

right subnet = 172.27.186.71-74
right subnet = 172.27.186.64-66
left subnet = 172.30.200.172-176

will appreciate any help rendered

regards

chris

Re: [strongSwan] charon unmet dependency on native android build

[Tobias Brunner]

Hi Nathan,

> The output I get is (I get the same log output if I do ipsec start 
> instead of executing charon directly):
> 
> root@kltetmo:/ # charon
> 00[DMN] Starting IKE charon daemon (strongSwan 5.5.2, Linux 3.4.0, armv7l)
> 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet 
> dependency: NONCE_GEN
> 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' 
> has unmet dependency: HASHER:HASH_SHA1
> 00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon' 
> has unmet dependency: HASHER:HASH_SHA1
> 00[LIB] failed to load 3 critical plugin features
> 00[DMN] initialization failed - aborting charon

You could try to increase the log level for the LIB and perhaps CFG
subsystems [1].

> (By the way, I had to add the -llog flag to LDFLAGS because 
> --enable-android-log didn't do it for me automatically, not sure if that 
> is an issue or I have something set up wrong.)

I've pushed a fix for that to master.

> I am using the same conf files that were generated from the make 
> install, so strongswan.conf has load_modular = yes and includes all the 
> plugin conf files. Each plugin conf file has load = yes.

This could be the problem, perhaps resolving the plugin list fails (e.g.
because including the files fails), which would also explain this:

> All the other executables seem to load ok, just running with --help to 
> test loading libraries. For example this is the output of pki:

This tool uses a hard-coded plugin list determined at compile-time.
With the default config charon (and some of its charon-* derivatives) is
the only program that uses the modular configuration.  So you could also
try to disable charon.load_modular in strongswan.conf so charon's
hard-coded default plugin list is used.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

[strongSwan] unable to install policy

[Rafał Sanocki]

Hello,

I've been trying to configure VPN for windows multiple clients with 
ikev2 and auth by rsasig.
Windows client can connect at first time but when i manually after few 
seconds try to reconnect i have error .

log from strongswan.

May 26 09:41:06 src@px2 charon: 05[IKE] received MS NT5 ISAKMPOAKLEY v9 
vendor ID
May 26 09:41:06 src@px2 charon: 05[IKE] received MS-Negotiation 
Discovery Capable vendor ID
May 26 09:41:06 src@px2 charon: 05[IKE] received Vid-Initial-Contact 
vendor ID

May 26 09:41:06 src@px2 charon: 05[IKE] 78.133.xx.xx is initiating an IKE_SA
May 26 09:41:06 src@px2 charon: 05[IKE] 78.133.xx.xx is initiating an IKE_SA
May 26 09:41:06 src@px2 charon: 05[IKE] remote host is behind NAT
May 26 09:41:06 src@px2 charon: 05[IKE] sending cert request for "C=AA, 
ST=BB, O=CC, OU=DD, CN=Publisher Root Authority, E=ad...@test.com"
May 26 09:41:06 src@px2 charon: 05[IKE] sending cert request for "C=AA, 
ST=BB, O=CC, OU=DD, CN=Publisher SEC Root Class 2, E=ad...@test.com"
May 26 09:41:07 src@px2 charon: 13[IKE] received cert request for "C=AA, 
ST=BB, O=CC, OU=DD, CN=Publisher SEC Root Class 2, E=ad...@test.com"
May 26 09:41:07 src@px2 charon: 13[IKE] received cert request for "C=AA, 
ST=BB, O=CC, OU=DD, CN=Publisher Root Authority, E=ad...@test.com"
May 26 09:41:07 src@px2 charon: 13[IKE] received 34 cert requests for an 
unknown ca
May 26 09:41:07 src@px2 charon: 13[IKE] received end entity cert "C=AA, 
ST=BB, O=CC, OU=Sec man, CN=user1.test.com, E=us...@test.com"
May 26 09:41:07 src@px2 charon: 13[IKE] received issuer cert "C=AA, 
ST=BB, O=CC, OU=DD, CN=Publisher SEC Root Class 2, E=ad...@test.com"
May 26 09:41:07 src@px2 charon: 13[CFG] looking for peer configs 
matching 176.xx.xx.xx[%any]...78.133.xx.xx[C=AA, ST=BB, O=CC, OU=Sec 
man, CN=user1.test.com, E=us...@test.com]
May 26 09:41:07 src@px2 charon: 13[CFG] selected peer config 
'vpn-ikev2-user1'
May 26 09:41:07 src@px2 charon: 13[CFG]   using certificate "C=AA, 
ST=BB, O=CC, OU=Sec man, CN=user1.test.com, E=us...@test.com"
May 26 09:41:07 src@px2 charon: 13[CFG]   using trusted intermediate ca 
certificate "C=AA, ST=BB, O=CC, OU=DD, CN=Publisher SEC Root Class 2, 
E=ad...@test.com"
May 26 09:41:07 src@px2 charon: 13[CFG] checking certificate status of 
"C=AA, ST=BB, O=CC, OU=Sec man, CN=user1.test.com, E=us...@test.com"
May 26 09:41:07 src@px2 charon: 13[CFG]   using trusted ca certificate 
"C=AA, ST=BB, O=CC, OU=DD, CN=Publisher Root Authority, E=ad...@test.com"
May 26 09:41:07 src@px2 charon: 13[CFG] checking certificate status of 
"C=AA, ST=BB, O=CC, OU=DD, CN=Publisher SEC Root Class 2, E=ad...@test.com"
May 26 09:41:07 src@px2 charon: 13[CFG]   reached self-signed root ca 
with a path length of 1
May 26 09:41:07 src@px2 charon: 13[IKE] authentication of 'C=AA, ST=BB, 
O=CC, OU=Sec man, CN=user1.test.com, E=us...@test.com' with RSA 
signature successful

May 26 09:41:07 src@px2 charon: 13[IKE] peer supports MOBIKE
May 26 09:41:07 src@px2 charon: 13[IKE] authentication of 
'proxy.test.com' (myself) with RSA signature successful
May 26 09:41:07 src@px2 charon: 13[IKE] IKE_SA vpn-ikev2-user1[4] 
established between 176.xx.xx.xx[proxy.test.com]...78.133.xx.xx[C=AA, 
ST=BB, O=CC, OU=Sec man, CN=user1.test.com, E=us...@test.com]
May 26 09:41:07 src@px2 charon: 13[IKE] IKE_SA vpn-ikev2-user1[4] 
established between 176.xx.xx.xx[proxy.test.com]...78.133.xx.xx[C=AA, 
ST=BB, O=CC, OU=Sec man, CN=user1.test.com, E=us...@test.com]
May 26 09:41:07 src@px2 charon: 13[IKE] scheduling reauthentication in 
10204s

May 26 09:41:07 src@px2 charon: 13[IKE] maximum IKE_SA lifetime 10744s
May 26 09:41:07 src@px2 charon: 13[IKE] sending end entity cert "C=AA, 
ST=BB, O=CC, OU=Sec man, CN=proxy.test.com, E=ad...@test.com"

May 26 09:41:07 src@px2 charon: 13[IKE] peer requested virtual IP %any
May 26 09:41:07 src@px2 charon: 13[CFG] reassigning offline lease to 
'C=AA, ST=BB, O=CC, OU=Sec man, CN=user1.test.com, E=us...@test.com'
May 26 09:41:07 src@px2 charon: 13[IKE] assigning virtual IP 
10.100.1.222 to peer 'C=AA, ST=BB, O=CC, OU=Sec man, CN=user1.test.com, 
E=us...@test.com'
May 26 09:41:07 src@px2 charon: 13[CFG] unable to install policy 
0.0.0.0/0 === 10.100.1.222/32 out (mark 0/0x) for reqid 3, the 
same policy for reqid 1 exists
May 26 09:41:07 src@px2 charon: 13[CFG] unable to install policy 
10.100.1.222/32 === 0.0.0.0/0 in (mark 0/0x) for reqid 3, the 
same policy for reqid 1 exists
May 26 09:41:07 src@px2 charon: 13[CFG] unable to install policy 
10.100.1.222/32 === 0.0.0.0/0 fwd (mark 0/0x) for reqid 3, the 
same policy for reqid 1 exists
May 26 09:41:07 src@px2 charon: 13[CFG] unable to install policy 
0.0.0.0/0 === 10.100.1.222/32 out (mark 0/0x) for reqid 3, the 
same policy for reqid 1 exists
May 26 09:41:07 src@px2 charon: 13[CFG] unable to install policy 
10.100.1.222/32 === 0.0.0.0/0 in (mark 0/0x) for reqid 3, the 
same policy for reqid 1 exists
May 26 09:41:07 src@px2 charon: 13[CFG] unable to