Hi List,

To further the issue below I've adjusted the key lengths as suggested and got 
the third party to do the same. We had a repeat of the connection issue that I 
describe in the email below.

The connection from our view appears to be operational. An ipsec status 
provided me with:

http://pastebin.com/YzZHJ82r

This suggests that our VPN tunnels are up however the strongswan 5.1.3 instance 
we connect to only has one tunnel operational and it suggests the others are 
down.

The open of the stronswan restarted his instance to find that the same tunnel 
came up but from our point of view it looks as if the that instance only sent 
one proposal. Please see Oct 10 14:48:49 in the log below.

http://pastebin.com/pFQ42tG9

I'm at a loss of what to try we know our instance is stable with another VPN 
using similar configuration it only appears to be this strongswan system which 
is problematic.

If anyone has any suggestions I would be grateful!

Thanks

Joe

-----Original Message-----
From: Paul Wouters [mailto:p...@nohats.ca] 
Sent: 20 September 2016 17:18
To: Madden, Joe <joe.mad...@mottmac.com>
Cc: swan@lists.libreswan.org
Subject: Re: [Swan] Stronswan / Libreswan - Tunnel disconnects and becomes 
prospective erouted

On Tue, 20 Sep 2016, Madden, Joe wrote:

> Just trying to resolve an issue we have with VPN’s disconnecting from a 
> Stronswan client.
> 
> When I restart my end of the VPN the VPNs establish and operate fine. 
> After a random amount of time with no apparent user action the some of the 
> VPN tunnels will become “prospective erouted”

you didnt provide any logs, so we have no idea of what is actually happening. 
Are they hanging up? Are you hanging up? Are they trying to rekey to you? The 
only thing we know is that this is ikev1, so it does not relate to rekeying 
without authentication.

>         keylife=        60m
>         ikelifetime=    480m

You could try and change these timings. An 1h IPsec SA lifetime is pretty short 
- usually these are kept at 8h or 24h. It does not matter too much other than 
that you can tweak these to determine who gets to initiate the rekeying 
(whoever has the shortest keylife)

But check your logs to see what is going on when the failure is happening.

Paul



From: Swan [mailto:swan-boun...@lists.libreswan.org] On Behalf Of Madden, Joe
Sent: 20 September 2016 16:54
To: swan@lists.libreswan.org
Subject: [Swan] Stronswan / Libreswan - Tunnel disconnects and becomes 
prospective erouted

Hi List,

Just trying to resolve an issue we have with VPN’s disconnecting from a 
Stronswan client.

When I restart my end of the VPN the VPNs establish and operate fine. After a 
random amount of time with no apparent user action the some of the VPN tunnels 
will become “prospective erouted”


Our configuration is:

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        #plutodebug="all"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16
        #plutodebug=control
        oe=off
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and 
uncomment this.
include /etc/ipsec.d/*.conf

conn ssl-iptrafficsig-1
        authby=         secret
        auto=           start
        type=           tunnel
        nat_traversal=  yes
        forceencaps=    no
        rekeymargin=    3m
        keyingtries=    %forever
        keylife=        60m
        ikelifetime=    480m
        ikev2=          no

        #RTT
        left=           10.59.31.49
        leftsubnets=    
{10.2.170.0/26,10.1.178.0/26,10.1.160.64/27,10.1.162.64/27,10.1.176.0/25,10.1.170.0/25,10.2.166.0/26,10.2.74.64/29,10.2.166.0/26,10.2.130.64/28,10.2.168.10/32,10.2.168.11/32,10.1.172.10/32,10.1.172.11/32}
        leftid=         193.195.162.135
        leftnexthop=    10.59.31.54
        leftsourceip=   10.59.31.49

        #SAA
        right=          52.48.93.253
        rightid=        52.48.93.253
        rightsubnet=    10.199.0.0/28
        ike=            aes256-sha2_256;modp2048
        phase2=         esp
        phase2alg=      aes256-sha2_256;modp2048
        pfs=            yes
        sha2_truncbug=  no

        #Dead Peer Detection
        dpdaction=      restart


Ipsec status shows:

000 "ssl-iptrafficsig-1/10x0": 
10.2.130.64/28===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28;
 erouted; eroute owner: #5
000 "ssl-iptrafficsig-1/10x0":     oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/10x0":   xauth info: us:none, them:none,  
my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/10x0":   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/10x0":   labeled_ipsec:no;
000 "ssl-iptrafficsig-1/10x0":   policy_label:unset;
000 "ssl-iptrafficsig-1/10x0":   ike_life: 28800s; ipsec_life: 3600s; 
rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/10x0":   retransmit-interval: 500ms; 
retransmit-timeout: 60s;
000 "ssl-iptrafficsig-1/10x0":   sha2_truncbug:no; initial_contact:no; 
cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/10x0":   policy: 
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/10x0":   conn_prio: 28,28; interface: eth1; metric: 0; 
mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/10x0":   newest ISAKMP SA: #0; newest IPsec SA: #5;
000 "ssl-iptrafficsig-1/10x0":   aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/10x0":   IKE algorithms wanted: 
AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/10x0":   IKE algorithms found:  
AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/10x0":   ESP algorithms wanted: 
AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/10x0":   ESP algorithms loaded: 
AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/10x0":   ESP algorithm newest: AES_256-HMAC_SHA2_256; 
pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/11x0": 
10.2.168.10/32===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28;
 erouted; eroute owner: #6
000 "ssl-iptrafficsig-1/11x0":     oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/11x0":   xauth info: us:none, them:none,  
my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/11x0":   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/11x0":   labeled_ipsec:no;
000 "ssl-iptrafficsig-1/11x0":   policy_label:unset;
000 "ssl-iptrafficsig-1/11x0":   ike_life: 28800s; ipsec_life: 3600s; 
rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/11x0":   retransmit-interval: 500ms; 
retransmit-timeout: 60s;
000 "ssl-iptrafficsig-1/11x0":   sha2_truncbug:no; initial_contact:no; 
cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/11x0":   policy: 
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/11x0":   conn_prio: 32,28; interface: eth1; metric: 0; 
mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/11x0":   newest ISAKMP SA: #0; newest IPsec SA: #6;
000 "ssl-iptrafficsig-1/11x0":   aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/11x0":   IKE algorithms wanted: 
AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/11x0":   IKE algorithms found:  
AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/11x0":   ESP algorithms wanted: 
AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/11x0":   ESP algorithms loaded: 
AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/11x0":   ESP algorithm newest: AES_256-HMAC_SHA2_256; 
pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/12x0": 
10.2.168.11/32===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28;
 erouted; eroute owner: #7
000 "ssl-iptrafficsig-1/12x0":     oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/12x0":   xauth info: us:none, them:none,  
my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/12x0":   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/12x0":   labeled_ipsec:no;
000 "ssl-iptrafficsig-1/12x0":   policy_label:unset;
000 "ssl-iptrafficsig-1/12x0":   ike_life: 28800s; ipsec_life: 3600s; 
rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/12x0":   retransmit-interval: 500ms; 
retransmit-timeout: 60s;
000 "ssl-iptrafficsig-1/12x0":   sha2_truncbug:no; initial_contact:no; 
cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/12x0":   policy: 
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/12x0":   conn_prio: 32,28; interface: eth1; metric: 0; 
mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/12x0":   newest ISAKMP SA: #0; newest IPsec SA: #7;
000 "ssl-iptrafficsig-1/12x0":   aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/12x0":   IKE algorithms wanted: 
AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/12x0":   IKE algorithms found:  
AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/12x0":   ESP algorithms wanted: 
AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/12x0":   ESP algorithms loaded: 
AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/12x0":   ESP algorithm newest: AES_256-HMAC_SHA2_256; 
pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/13x0": 
10.1.172.10/32===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28;
 erouted; eroute owner: #28
000 "ssl-iptrafficsig-1/13x0":     oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/13x0":   xauth info: us:none, them:none,  
my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/13x0":   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/13x0":   labeled_ipsec:no;
000 "ssl-iptrafficsig-1/13x0":   policy_label:unset;
000 "ssl-iptrafficsig-1/13x0":   ike_life: 28800s; ipsec_life: 3600s; 
rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/13x0":   retransmit-interval: 500ms; 
retransmit-timeout: 60s;
000 "ssl-iptrafficsig-1/13x0":   sha2_truncbug:no; initial_contact:no; 
cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/13x0":   policy: 
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/13x0":   conn_prio: 32,28; interface: eth1; metric: 0; 
mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/13x0":   newest ISAKMP SA: #0; newest IPsec SA: #28;
000 "ssl-iptrafficsig-1/13x0":   aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/13x0":   IKE algorithms wanted: 
AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/13x0":   IKE algorithms found:  
AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/13x0":   ESP algorithms wanted: 
AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/13x0":   ESP algorithms loaded: 
AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/13x0":   ESP algorithm newest: AES_256-HMAC_SHA2_256; 
pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/14x0": 
10.1.172.11/32===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28;
 erouted; eroute owner: #9
000 "ssl-iptrafficsig-1/14x0":     oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/14x0":   xauth info: us:none, them:none,  
my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/14x0":   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/14x0":   labeled_ipsec:no;
000 "ssl-iptrafficsig-1/14x0":   policy_label:unset;
000 "ssl-iptrafficsig-1/14x0":   ike_life: 28800s; ipsec_life: 3600s; 
rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/14x0":   retransmit-interval: 500ms; 
retransmit-timeout: 60s;
000 "ssl-iptrafficsig-1/14x0":   sha2_truncbug:no; initial_contact:no; 
cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/14x0":   policy: 
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/14x0":   conn_prio: 32,28; interface: eth1; metric: 0; 
mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/14x0":   newest ISAKMP SA: #0; newest IPsec SA: #9;
000 "ssl-iptrafficsig-1/14x0":   aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/14x0":   IKE algorithms wanted: 
AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/14x0":   IKE algorithms found:  
AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/14x0":   ESP algorithms wanted: 
AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/14x0":   ESP algorithms loaded: 
AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/14x0":   ESP algorithm newest: AES_256-HMAC_SHA2_256; 
pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/1x0": 
10.2.170.0/26===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28;
 erouted; eroute owner: #23
000 "ssl-iptrafficsig-1/1x0":     oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/1x0":   xauth info: us:none, them:none,  
my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/1x0":   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/1x0":   labeled_ipsec:no;
000 "ssl-iptrafficsig-1/1x0":   policy_label:unset;
000 "ssl-iptrafficsig-1/1x0":   ike_life: 28800s; ipsec_life: 3600s; 
rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/1x0":   retransmit-interval: 500ms; retransmit-timeout: 
60s;
000 "ssl-iptrafficsig-1/1x0":   sha2_truncbug:no; initial_contact:no; 
cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/1x0":   policy: 
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/1x0":   conn_prio: 26,28; interface: eth1; metric: 0; 
mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/1x0":   newest ISAKMP SA: #0; newest IPsec SA: #23;
000 "ssl-iptrafficsig-1/1x0":   aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/1x0":   IKE algorithms wanted: 
AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/1x0":   IKE algorithms found:  
AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/1x0":   ESP algorithms wanted: 
AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/1x0":   ESP algorithms loaded: 
AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/1x0":   ESP algorithm newest: AES_256-HMAC_SHA2_256; 
pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/2x0": 
10.1.178.0/26===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28;
 erouted; eroute owner: #26
000 "ssl-iptrafficsig-1/2x0":     oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/2x0":   xauth info: us:none, them:none,  
my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/2x0":   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/2x0":   labeled_ipsec:no;
000 "ssl-iptrafficsig-1/2x0":   policy_label:unset;
000 "ssl-iptrafficsig-1/2x0":   ike_life: 28800s; ipsec_life: 3600s; 
rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/2x0":   retransmit-interval: 500ms; retransmit-timeout: 
60s;
000 "ssl-iptrafficsig-1/2x0":   sha2_truncbug:no; initial_contact:no; 
cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/2x0":   policy: 
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/2x0":   conn_prio: 26,28; interface: eth1; metric: 0; 
mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/2x0":   newest ISAKMP SA: #0; newest IPsec SA: #26;
000 "ssl-iptrafficsig-1/2x0":   aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/2x0":   IKE algorithms wanted: 
AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/2x0":   IKE algorithms found:  
AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/2x0":   ESP algorithms wanted: 
AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/2x0":   ESP algorithms loaded: 
AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/2x0":   ESP algorithm newest: AES_256-HMAC_SHA2_256; 
pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/3x0": 
10.1.160.64/27===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28;
 erouted; eroute owner: #12
000 "ssl-iptrafficsig-1/3x0":     oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/3x0":   xauth info: us:none, them:none,  
my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/3x0":   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/3x0":   labeled_ipsec:no;
000 "ssl-iptrafficsig-1/3x0":   policy_label:unset;
000 "ssl-iptrafficsig-1/3x0":   ike_life: 28800s; ipsec_life: 3600s; 
rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/3x0":   retransmit-interval: 500ms; retransmit-timeout: 
60s;
000 "ssl-iptrafficsig-1/3x0":   sha2_truncbug:no; initial_contact:no; 
cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/3x0":   policy: 
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/3x0":   conn_prio: 27,28; interface: eth1; metric: 0; 
mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/3x0":   newest ISAKMP SA: #0; newest IPsec SA: #12;
000 "ssl-iptrafficsig-1/3x0":   aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/3x0":   IKE algorithms wanted: 
AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/3x0":   IKE algorithms found:  
AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/3x0":   ESP algorithms wanted: 
AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/3x0":   ESP algorithms loaded: 
AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/3x0":   ESP algorithm newest: AES_256-HMAC_SHA2_256; 
pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/4x0": 
10.1.162.64/27===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28;
 erouted; eroute owner: #13
000 "ssl-iptrafficsig-1/4x0":     oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/4x0":   xauth info: us:none, them:none,  
my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/4x0":   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/4x0":   labeled_ipsec:no;
000 "ssl-iptrafficsig-1/4x0":   policy_label:unset;
000 "ssl-iptrafficsig-1/4x0":   ike_life: 28800s; ipsec_life: 3600s; 
rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/4x0":   retransmit-interval: 500ms; retransmit-timeout: 
60s;
000 "ssl-iptrafficsig-1/4x0":   sha2_truncbug:no; initial_contact:no; 
cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/4x0":   policy: 
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/4x0":   conn_prio: 27,28; interface: eth1; metric: 0; 
mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/4x0":   newest ISAKMP SA: #0; newest IPsec SA: #13;
000 "ssl-iptrafficsig-1/4x0":   aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/4x0":   IKE algorithms wanted: 
AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/4x0":   IKE algorithms found:  
AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/4x0":   ESP algorithms wanted: 
AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/4x0":   ESP algorithms loaded: 
AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/4x0":   ESP algorithm newest: AES_256-HMAC_SHA2_256; 
pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/5x0": 
10.1.176.0/25===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28;
 erouted; eroute owner: #14
000 "ssl-iptrafficsig-1/5x0":     oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/5x0":   xauth info: us:none, them:none,  
my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/5x0":   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/5x0":   labeled_ipsec:no;
000 "ssl-iptrafficsig-1/5x0":   policy_label:unset;
000 "ssl-iptrafficsig-1/5x0":   ike_life: 28800s; ipsec_life: 3600s; 
rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/5x0":   retransmit-interval: 500ms; retransmit-timeout: 
60s;
000 "ssl-iptrafficsig-1/5x0":   sha2_truncbug:no; initial_contact:no; 
cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/5x0":   policy: 
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/5x0":   conn_prio: 25,28; interface: eth1; metric: 0; 
mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/5x0":   newest ISAKMP SA: #0; newest IPsec SA: #14;
000 "ssl-iptrafficsig-1/5x0":   aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/5x0":   IKE algorithms wanted: 
AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/5x0":   IKE algorithms found:  
AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/5x0":   ESP algorithms wanted: 
AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/5x0":   ESP algorithms loaded: 
AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/5x0":   ESP algorithm newest: AES_256-HMAC_SHA2_256; 
pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/6x0": 
10.1.170.0/25===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28;
 erouted; eroute owner: #27
000 "ssl-iptrafficsig-1/6x0":     oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/6x0":   xauth info: us:none, them:none,  
my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/6x0":   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/6x0":   labeled_ipsec:no;
000 "ssl-iptrafficsig-1/6x0":   policy_label:unset;
000 "ssl-iptrafficsig-1/6x0":   ike_life: 28800s; ipsec_life: 3600s; 
rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/6x0":   retransmit-interval: 500ms; retransmit-timeout: 
60s;
000 "ssl-iptrafficsig-1/6x0":   sha2_truncbug:no; initial_contact:no; 
cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/6x0":   policy: 
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/6x0":   conn_prio: 25,28; interface: eth1; metric: 0; 
mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/6x0":   newest ISAKMP SA: #0; newest IPsec SA: #27;
000 "ssl-iptrafficsig-1/6x0":   aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/6x0":   IKE algorithms wanted: 
AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/6x0":   IKE algorithms found:  
AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/6x0":   ESP algorithms wanted: 
AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/6x0":   ESP algorithms loaded: 
AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/6x0":   ESP algorithm newest: AES_256-HMAC_SHA2_256; 
pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/7x0": 
10.2.166.0/26===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28;
 erouted; eroute owner: #16
000 "ssl-iptrafficsig-1/7x0":     oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/7x0":   xauth info: us:none, them:none,  
my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/7x0":   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/7x0":   labeled_ipsec:no;
000 "ssl-iptrafficsig-1/7x0":   policy_label:unset;
000 "ssl-iptrafficsig-1/7x0":   ike_life: 28800s; ipsec_life: 3600s; 
rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/7x0":   retransmit-interval: 500ms; retransmit-timeout: 
60s;
000 "ssl-iptrafficsig-1/7x0":   sha2_truncbug:no; initial_contact:no; 
cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/7x0":   policy: 
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/7x0":   conn_prio: 26,28; interface: eth1; metric: 0; 
mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/7x0":   newest ISAKMP SA: #0; newest IPsec SA: #16;
000 "ssl-iptrafficsig-1/7x0":   aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/7x0":   IKE algorithms wanted: 
AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/7x0":   IKE algorithms found:  
AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/7x0":   ESP algorithms wanted: 
AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/7x0":   ESP algorithms loaded: 
AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/7x0":   ESP algorithm newest: AES_256-HMAC_SHA2_256; 
pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/8x0": 
10.2.74.64/29===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28;
 erouted; eroute owner: #17
000 "ssl-iptrafficsig-1/8x0":     oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/8x0":   xauth info: us:none, them:none,  
my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/8x0":   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/8x0":   labeled_ipsec:no;
000 "ssl-iptrafficsig-1/8x0":   policy_label:unset;
000 "ssl-iptrafficsig-1/8x0":   ike_life: 28800s; ipsec_life: 3600s; 
rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/8x0":   retransmit-interval: 500ms; retransmit-timeout: 
60s;
000 "ssl-iptrafficsig-1/8x0":   sha2_truncbug:no; initial_contact:no; 
cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/8x0":   policy: 
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/8x0":   conn_prio: 29,28; interface: eth1; metric: 0; 
mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/8x0":   newest ISAKMP SA: #0; newest IPsec SA: #17;
000 "ssl-iptrafficsig-1/8x0":   aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/8x0":   IKE algorithms wanted: 
AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/8x0":   IKE algorithms found:  
AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/8x0":   ESP algorithms wanted: 
AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/8x0":   ESP algorithms loaded: 
AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/8x0":   ESP algorithm newest: AES_256-HMAC_SHA2_256; 
pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/9x0": 
10.2.166.0/26===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28;
 unrouted; eroute owner: #0
000 "ssl-iptrafficsig-1/9x0":     oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/9x0":   xauth info: us:none, them:none,  
my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/9x0":   modecfg info: us:none, them:none, modecfg 
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/9x0":   labeled_ipsec:no;
000 "ssl-iptrafficsig-1/9x0":   policy_label:unset;
000 "ssl-iptrafficsig-1/9x0":   ike_life: 28800s; ipsec_life: 3600s; 
rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/9x0":   retransmit-interval: 500ms; retransmit-timeout: 
60s;
000 "ssl-iptrafficsig-1/9x0":   sha2_truncbug:no; initial_contact:no; 
cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/9x0":   policy: 
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/9x0":   conn_prio: 26,28; interface: eth1; metric: 0; 
mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/9x0":   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "ssl-iptrafficsig-1/9x0":   aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/9x0":   IKE algorithms wanted: 
AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/9x0":   IKE algorithms found:  
AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/9x0":   IKE algorithm newest: 
AES_CBC_256-SHA2_256-MODP2048
000 "ssl-iptrafficsig-1/9x0":   ESP algorithms wanted: 
AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/9x0":   ESP algorithms loaded: 
AES(12)_256-SHA2_256(5)_000

000 Total IPsec connections: loaded 18, active 15
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(3), half-open(0), open(0), authenticated(3), anonymous(0)
000 IPsec SAs: total(20), authenticated(20), anonymous(0)
000
000 #5: "ssl-iptrafficsig-1/10x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 2458s; newest IPSEC; eroute owner; isakmp#1; 
idle; import:admin initiate
000 #5: "ssl-iptrafficsig-1/10x0" esp.c12547a1@REMOTE_END_HOST 
esp.fba10b48@10.59.31.49 tun.0@REMOTE_END_HOST tun.0@10.59.31.49 ref=0 
refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
000 #6: "ssl-iptrafficsig-1/11x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 2354s; newest IPSEC; eroute owner; isakmp#1; 
idle; import:admin initiate
000 #6: "ssl-iptrafficsig-1/11x0" esp.cc9e62a8@REMOTE_END_HOST 
esp.858910c8@10.59.31.49 tun.0@REMOTE_END_HOST tun.0@10.59.31.49 ref=0 
refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
000 #7: "ssl-iptrafficsig-1/12x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 2419s; newest IPSEC; eroute owner; isakmp#1; 
idle; import:admin initiate
000 #7: "ssl-iptrafficsig-1/12x0" esp.c5799a78@REMOTE_END_HOST 
esp.5705a8e8@10.59.31.49 tun.0@REMOTE_END_HOST tun.0@10.59.31.49 ref=0 
refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
000 #28: "ssl-iptrafficsig-1/13x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 2552s; newest IPSEC; eroute owner; isakmp#1; 
idle; import:admin initiate
000 #28: "ssl-iptrafficsig-1/13x0" esp.c6f6d061@REMOTE_END_HOST 
esp.9672692a@10.59.31.49 tun.0@REMOTE_END_HOST tun.0@10.59.31.49 ref=0 
refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
000 #9: "ssl-iptrafficsig-1/14x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 2406s; newest IPSEC; eroute owner; isakmp#1; 
idle; import:admin initiate
000 #9: "ssl-iptrafficsig-1/14x0" esp.c4c54e51@REMOTE_END_HOST 
esp.b1174378@10.59.31.49 tun.0@REMOTE_END_HOST tun.0@10.59.31.49 ref=0 
refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
000 #23: "ssl-iptrafficsig-1/1x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 2518s; newest IPSEC; eroute owner; isakmp#1; 
idle; import:admin initiate
000 #23: "ssl-iptrafficsig-1/1x0" esp.c98a55c4@REMOTE_END_HOST 
esp.7c7e290f@10.59.31.49 tun.0@REMOTE_END_HOST tun.0@10.59.31.49 ref=0 
refhim=4294901761 Traffic: ESPout=58KB ESPin=567KB! ESPmax=4194303B
000 #20: "ssl-iptrafficsig-1/1x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 2411s; isakmp#1; idle; import:admin initiate
000 #20: "ssl-iptrafficsig-1/1x0" esp.c401c664@REMOTE_END_HOST 
esp.5ec26044@10.59.31.49 tun.0@REMOTE_END_HOST tun.0@10.59.31.49 ref=0 
refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
000 #19: "ssl-iptrafficsig-1/1x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 2405s; isakmp#1; idle; import:admin initiate
000 #19: "ssl-iptrafficsig-1/1x0" esp.ce619448@REMOTE_END_HOST 
esp.6ac57625@10.59.31.49 tun.0@REMOTE_END_HOST tun.0@10.59.31.49 ref=0 
refhim=4294901761 Traffic: ESPout=2KB ESPin=2KB! ESPmax=4194303B
000 #10: "ssl-iptrafficsig-1/1x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 2454s; isakmp#1; idle; import:admin initiate
000 #10: "ssl-iptrafficsig-1/1x0" esp.c27d9a00@REMOTE_END_HOST 
esp.9ea667fc@10.59.31.49 tun.0@REMOTE_END_HOST tun.0@10.59.31.49 ref=0 
refhim=4294901761 Traffic: ESPout=2KB ESPin=1KB! ESPmax=4194303B
000 #26: "ssl-iptrafficsig-1/2x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 2556s; newest IPSEC; eroute owner; isakmp#1; 
idle; import:admin initiate
000 #26: "ssl-iptrafficsig-1/2x0" esp.c5e48b50@REMOTE_END_HOST 
esp.ce80491d@10.59.31.49 tun.0@REMOTE_END_HOST tun.0@10.59.31.49 ref=0 
refhim=4294901761 Traffic: ESPout=39KB ESPin=1MB! ESPmax=4194303B
000 #12: "ssl-iptrafficsig-1/3x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 2469s; newest IPSEC; eroute owner; isakmp#1; 
idle; import:admin initiate
000 #12: "ssl-iptrafficsig-1/3x0" esp.c13c907e@REMOTE_END_HOST 
esp.1469cbba@10.59.31.49 tun.0@REMOTE_END_HOST tun.0@10.59.31.49 ref=0 
refhim=4294901761 Traffic: ESPout=0B ESPin=2MB! ESPmax=4194303B
000 #13: "ssl-iptrafficsig-1/4x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 2479s; newest IPSEC; eroute owner; isakmp#1; 
idle; import:admin initiate
000 #13: "ssl-iptrafficsig-1/4x0" esp.cc814da7@REMOTE_END_HOST 
esp.162df46b@10.59.31.49 tun.0@REMOTE_END_HOST tun.0@10.59.31.49 ref=0 
refhim=4294901761 Traffic: ESPout=122KB ESPin=1MB! ESPmax=4194303B
000 #22: "ssl-iptrafficsig-1/5x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 2380s; isakmp#1; idle; import:admin initiate
000 #22: "ssl-iptrafficsig-1/5x0" esp.cb7b9074@REMOTE_END_HOST 
esp.3554ede3@10.59.31.49 tun.0@REMOTE_END_HOST tun.0@10.59.31.49 ref=0 
refhim=4294901761 Traffic: ESPout=372B ESPin=340B! ESPmax=4194303B
000 #14: "ssl-iptrafficsig-1/5x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 2348s; newest IPSEC; eroute owner; isakmp#1; 
idle; import:admin initiate
000 #14: "ssl-iptrafficsig-1/5x0" esp.c9255d9a@REMOTE_END_HOST 
esp.8857fbd4@10.59.31.49 tun.0@REMOTE_END_HOST tun.0@10.59.31.49 ref=0 
refhim=4294901761 Traffic: ESPout=12KB ESPin=122KB! ESPmax=4194303B
000 #27: "ssl-iptrafficsig-1/6x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 2436s; newest IPSEC; eroute owner; isakmp#1; 
idle; import:admin initiate
000 #27: "ssl-iptrafficsig-1/6x0" esp.c6ad61ed@REMOTE_END_HOST 
esp.db4b3c21@10.59.31.49 tun.0@REMOTE_END_HOST tun.0@10.59.31.49 ref=0 
refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
000 #16: "ssl-iptrafficsig-1/7x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 2483s; newest IPSEC; eroute owner; isakmp#1; 
idle; import:admin initiate
000 #16: "ssl-iptrafficsig-1/7x0" esp.c3e42509@REMOTE_END_HOST 
esp.6a2fd0a8@10.59.31.49 tun.0@REMOTE_END_HOST tun.0@10.59.31.49 ref=0 
refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
000 #17: "ssl-iptrafficsig-1/8x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 2355s; newest IPSEC; eroute owner; isakmp#1; 
idle; import:admin initiate
000 #17: "ssl-iptrafficsig-1/8x0" esp.c80847c0@REMOTE_END_HOST 
esp.a2ed620@10.59.31.49 tun.0@REMOTE_END_HOST tun.0@10.59.31.49 ref=0 
refhim=4294901761 Traffic: ESPout=10KB ESPin=98KB! ESPmax=4194303B
000 #1: "ssl-iptrafficsig-1/9x0":4500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 27574s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; 
import:admin initiate
000
000 Bare Shunt list:
000

Hoping someone has seen some behaviour like this before. I have other clients 
on this VPN with no issues therefore I suspect it’s an issue with the 
strongswan instance.

Thanks

Joe
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to