Hi. I have (again ;) ) some problems with my strongswan. It seems to go crazy after some time running.
It's basically the same configuration as described here https://lists.strongswan.org/pipermail/users/2010-October/005328.html, just with ike = esp = aes256-sha1-modp2048! now and one host having auto = start while the other having auto = add For some time after I started it (ipsec start) on both everything seems to be ok. There is one connection (AFAIU): # ipsec status Security Associations: kronecker.scientia.net[1]: ESTABLISHED 4 minutes ago, 84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=kronecker.scientia.net] kronecker.scientia.net{1}: INSTALLED, TUNNEL, ESP SPIs: c9c91468_i c5585f86_o kronecker.scientia.net{1}: 84.16.235.61/32 === 77.37.6.134/32 And dpd INFORMAL packets are send every 30s (as configured): Oct 4 11:40:59 hilbert charon: 16[NET] received packet: from 77.37.6.134[4500] to 84.16.235.61[4500] Oct 4 11:40:59 hilbert charon: 16[ENC] parsed INFORMATIONAL request 4 [ ] Oct 4 11:40:59 hilbert charon: 16[ENC] generating INFORMATIONAL response 4 [ ] Oct 4 11:40:59 hilbert charon: 16[NET] sending packet: from 84.16.235.61[4500] to 77.37.6.134[4500] Oct 4 11:41:29 hilbert charon: 01[NET] received packet: from 77.37.6.134[4500] to 84.16.235.61[4500] Oct 4 11:41:29 hilbert charon: 01[ENC] parsed INFORMATIONAL request 5 [ ] Oct 4 11:41:29 hilbert charon: 01[ENC] generating INFORMATIONAL response 5 [ ] Oct 4 11:41:29 hilbert charon: 01[NET] sending packet: from 84.16.235.61[4500] to 77.37.6.134[4500] btw: I do not understand why port 4500 is used. I shouldn't have a NATed setup. Only the first Oct 4 11:37:36 hilbert charon: 12[NET] sending packet: from 84.16.235.61[500] to 77.37.6.134[500] Oct 4 11:37:37 hilbert charon: 15[NET] received packet: from 77.37.6.134[500] to 84.16.235.61[500] Oct 4 11:37:37 hilbert charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] seems to use port 500. Nevertheless. After some time (an hour or so) the following seems to happen: - INFORMAL messages are sent much more often (as far as I can see several times per second) - New connections are established (__many__ times per second) - charon eats up about 10% of my CPU then. The following seems to be "about" the point where the evil starts (but INFORMAL messages frequency is already much higher than 30s there). ########################################################################################################################################## Oct 4 05:58:07 hilbert charon: 16[ENC] parsed INFORMATIONAL request 267 [ ] Oct 4 05:58:07 hilbert charon: 16[ENC] generating INFORMATIONAL response 267 [ ] Oct 4 05:58:07 hilbert charon: 16[NET] sending packet: from 84.16.235.61[4500] to 77.37.6.134[4500] Oct 4 05:58:18 hilbert charon: 08[NET] received packet: from 77.37.6.134[4500] to 84.16.235.61[4500] Oct 4 05:58:18 hilbert charon: 08[ENC] parsed INFORMATIONAL request 223 [ ] Oct 4 05:58:18 hilbert charon: 08[ENC] generating INFORMATIONAL response 223 [ ] Oct 4 05:58:18 hilbert charon: 08[NET] sending packet: from 84.16.235.61[4500] to 77.37.6.134[4500] Oct 4 05:58:28 hilbert charon: 12[NET] received packet: from 77.37.6.134[4500] to 84.16.235.61[4500] Oct 4 05:58:28 hilbert charon: 12[ENC] parsed INFORMATIONAL request 268 [ D ] Oct 4 05:58:28 hilbert charon: 12[IKE] received DELETE for IKE_SA kronecker.scientia.net[2] Oct 4 05:58:28 hilbert charon: 12[IKE] deleting IKE_SA kronecker.scientia.net[2] between 84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Co Oct 4 05:58:28 hilbert charon: 12[IKE] restarting CHILD_SA kronecker.scientia.net Oct 4 05:58:28 hilbert charon: 12[IKE] initiating IKE_SA kronecker.scientia.net[4] to 77.37.6.134 Oct 4 05:58:28 hilbert charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Oct 4 05:58:28 hilbert charon: 12[NET] sending packet: from 84.16.235.61[500] to 77.37.6.134[500] Oct 4 05:58:28 hilbert charon: 12[IKE] IKE_SA deleted Oct 4 05:58:28 hilbert charon: 12[ENC] generating INFORMATIONAL response 268 [ ] Oct 4 05:58:28 hilbert charon: 12[NET] sending packet: from 84.16.235.61[4500] to 77.37.6.134[4500] Oct 4 05:58:28 hilbert charon: 03[NET] received packet: from 77.37.6.134[500] to 84.16.235.61[500] Oct 4 05:58:28 hilbert charon: 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Oct 4 05:58:28 hilbert charon: 03[IKE] 77.37.6.134 is initiating an IKE_SA Oct 4 05:58:28 hilbert charon: 03[IKE] sending cert request for "C=DE, ST=Freistaat Bayern, L=M?nchen, O=scientia.net, OU=Communications and Networkin Oct 4 05:58:28 hilbert charon: 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Oct 4 05:58:28 hilbert charon: 03[NET] sending packet: from 84.16.235.61[500] to 77.37.6.134[500] Oct 4 05:58:28 hilbert charon: 15[NET] received packet: from 77.37.6.134[500] to 84.16.235.61[500] Oct 4 05:58:28 hilbert charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Oct 4 05:58:28 hilbert charon: 15[IKE] received cert request for "C=DE, ST=Freistaat Bayern, L=M?nchen, O=scientia.net, OU=Communications and Networki Oct 4 05:58:28 hilbert charon: 15[IKE] sending cert request for "C=DE, ST=Freistaat Bayern, L=M?nchen, O=scientia.net, OU=Communications and Networkin Oct 4 05:58:29 hilbert charon: 15[IKE] authentication of 'C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scie Oct 4 05:58:29 hilbert charon: 15[IKE] sending end entity cert "C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilber Oct 4 05:58:29 hilbert charon: 15[IKE] establishing CHILD_SA kronecker.scientia.net Oct 4 05:58:29 hilbert charon: 15[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) Oct 4 05:58:29 hilbert charon: 15[NET] sending packet: from 84.16.235.61[4500] to 77.37.6.134[4500] Oct 4 05:58:29 hilbert charon: 02[NET] received packet: from 77.37.6.134[4500] to 84.16.235.61[4500] Oct 4 05:58:29 hilbert charon: 02[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(AD Oct 4 05:58:29 hilbert charon: 02[IKE] received cert request for "C=DE, ST=Freistaat Bayern, L=M?nchen, O=scientia.net, OU=Communications and Networki Oct 4 05:58:29 hilbert charon: 02[IKE] received end entity cert "C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=krone Oct 4 05:58:29 hilbert charon: 02[CFG] looking for peer configs matching 84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Oct 4 05:58:29 hilbert charon: 02[CFG] selected peer config 'kronecker.scientia.net' ########################################################################################################################################## In ipsec statusall this looks about this: ########################################################################################################################################## r...@hilbert:~# ipsec statusall Status of IKEv2 charon daemon (strongSwan 4.4.1): uptime: 10 hours, since Oct 04 00:46:51 2010 malloc: sbrk 8548352, mmap 528384, used 2459088, free 6089264 worker threads: 7 idle of 16, job queue load: 0, scheduled events: 14816 loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr resolve kernel-netlink socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp Listening IP addresses: 84.16.235.61 84.16.242.145 84.16.226.65 84.16.242.146 Connections: kronecker.scientia.net: 84.16.235.61...77.37.6.134, dpddelay=30s kronecker.scientia.net: local: [C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net] uses public key authentication kronecker.scientia.net: cert: "C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net" kronecker.scientia.net: remote: [C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=kronecker.scientia.net] uses public key authentication kronecker.scientia.net: child: dynamic === dynamic , dpdaction=restart Security Associations: kronecker.scientia.net[17515]: ESTABLISHED 11 minutes ago, 84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=kronecker.scientia.net] kronecker.scientia.net[17515]: IKE SPIs: fb65e86e78eecb88_i 030a6e93bb445170_r*, public key reauthentication in 2 hours kronecker.scientia.net[17515]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 kronecker.scientia.net{17515}: INSTALLED, TUNNEL, ESP SPIs: c8f52903_i c8ab07bb_o kronecker.scientia.net{17515}: AES_CBC_256/HMAC_SHA1_96, 220 bytes_i, 0 bytes_o, rekeying in 35 minutes kronecker.scientia.net{17515}: 84.16.235.61/32 === 77.37.6.134/32 kronecker.scientia.net[18206]: ESTABLISHED 0 seconds ago, 84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=kronecker.scientia.net] kronecker.scientia.net[18206]: IKE SPIs: fe4e57268867fb98_i* 0426fccdb6010cf3_r, public key reauthentication in 2 hours kronecker.scientia.net[18206]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 kronecker.scientia.net{18206}: INSTALLED, TUNNEL, ESP SPIs: c0e64091_i c38cfe64_o kronecker.scientia.net{18206}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 42 minutes kronecker.scientia.net{18206}: 84.16.235.61/32 === 77.37.6.134/32 kronecker.scientia.net[18207]: CONNECTING, 84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=kronecker.scientia.net] kronecker.scientia.net[18207]: IKE SPIs: 1e1225a6d1866a50_i* f872c329313ca40e_r kronecker.scientia.net[18207]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 kronecker.scientia.net[18207]: Tasks active: IKE_CERT_PRE IKE_AUTHENTICATE IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE r...@hilbert:~# ipsec statusall Status of IKEv2 charon daemon (strongSwan 4.4.1): uptime: 10 hours, since Oct 04 00:46:50 2010 malloc: sbrk 8548352, mmap 528384, used 2466656, free 6081696 worker threads: 7 idle of 16, job queue load: 0, scheduled events: 14817 loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr resolve kernel-netlink socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp Listening IP addresses: 84.16.235.61 84.16.242.145 84.16.226.65 84.16.242.146 Connections: kronecker.scientia.net: 84.16.235.61...77.37.6.134, dpddelay=30s kronecker.scientia.net: local: [C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net] uses public key authentication kronecker.scientia.net: cert: "C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net" kronecker.scientia.net: remote: [C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=kronecker.scientia.net] uses public key authentication kronecker.scientia.net: child: dynamic === dynamic , dpdaction=restart Security Associations: kronecker.scientia.net[17515]: ESTABLISHED 11 minutes ago, 84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=kronecker.scientia.net] kronecker.scientia.net[17515]: IKE SPIs: fb65e86e78eecb88_i 030a6e93bb445170_r*, public key reauthentication in 2 hours kronecker.scientia.net[17515]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 kronecker.scientia.net{17515}: INSTALLED, TUNNEL, ESP SPIs: c8f52903_i c8ab07bb_o kronecker.scientia.net{17515}: AES_CBC_256/HMAC_SHA1_96, 220 bytes_i, 0 bytes_o, rekeying in 35 minutes kronecker.scientia.net{17515}: 84.16.235.61/32 === 77.37.6.134/32 kronecker.scientia.net[18207]: ESTABLISHED 1 second ago, 84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=kronecker.scientia.net] kronecker.scientia.net[18207]: IKE SPIs: 1e1225a6d1866a50_i* f872c329313ca40e_r, public key reauthentication in 2 hours kronecker.scientia.net[18207]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 kronecker.scientia.net{18207}: INSTALLED, TUNNEL, ESP SPIs: caa50641_i c8d28561_o kronecker.scientia.net{18207}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 47 minutes kronecker.scientia.net{18207}: 84.16.235.61/32 === 77.37.6.134/32 kronecker.scientia.net[18208]: CONNECTING, 84.16.235.61[%any]...77.37.6.134[%any] kronecker.scientia.net[18208]: IKE SPIs: 6127ba544142a3a8_i* 0000000000000000_r kronecker.scientia.net[18208]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTHENTICATE IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE r...@hilbert:~# ipsec statusall Status of IKEv2 charon daemon (strongSwan 4.4.1): uptime: 10 hours, since Oct 04 00:46:51 2010 malloc: sbrk 8548352, mmap 528384, used 2460928, free 6087424 worker threads: 7 idle of 16, job queue load: 0, scheduled events: 14814 loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr resolve kernel-netlink socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp Listening IP addresses: 84.16.235.61 84.16.242.145 84.16.226.65 84.16.242.146 Connections: kronecker.scientia.net: 84.16.235.61...77.37.6.134, dpddelay=30s kronecker.scientia.net: local: [C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net] uses public key authentication kronecker.scientia.net: cert: "C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net" kronecker.scientia.net: remote: [C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=kronecker.scientia.net] uses public key authentication kronecker.scientia.net: child: dynamic === dynamic , dpdaction=restart Security Associations: kronecker.scientia.net[17515]: ESTABLISHED 11 minutes ago, 84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=kronecker.scientia.net] kronecker.scientia.net[17515]: IKE SPIs: fb65e86e78eecb88_i 030a6e93bb445170_r*, public key reauthentication in 2 hours kronecker.scientia.net[17515]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 kronecker.scientia.net{17515}: INSTALLED, TUNNEL, ESP SPIs: c8f52903_i c8ab07bb_o kronecker.scientia.net{17515}: AES_CBC_256/HMAC_SHA1_96, 220 bytes_i, 0 bytes_o, rekeying in 35 minutes kronecker.scientia.net{17515}: 84.16.235.61/32 === 77.37.6.134/32 kronecker.scientia.net[18207]: ESTABLISHED 1 second ago, 84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=kronecker.scientia.net] kronecker.scientia.net[18207]: IKE SPIs: 1e1225a6d1866a50_i* f872c329313ca40e_r, public key reauthentication in 2 hours kronecker.scientia.net[18207]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 kronecker.scientia.net{18207}: INSTALLED, TUNNEL, ESP SPIs: caa50641_i c8d28561_o kronecker.scientia.net{18207}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 47 minutes kronecker.scientia.net{18207}: 84.16.235.61/32 === 77.37.6.134/32 kronecker.scientia.net[18208]: CONNECTING, 84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=kronecker.scientia.net] kronecker.scientia.net[18208]: IKE SPIs: 6127ba544142a3a8_i* 2c54836e4ef29bbc_r kronecker.scientia.net[18208]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 kronecker.scientia.net[18208]: Tasks active: IKE_CERT_PRE IKE_AUTHENTICATE IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE r...@hilbert:~# ipsec statusall Status of IKEv2 charon daemon (strongSwan 4.4.1): uptime: 10 hours, since Oct 04 00:46:50 2010 malloc: sbrk 8548352, mmap 528384, used 2458112, free 6090240 worker threads: 7 idle of 16, job queue load: 0, scheduled events: 14814 loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr resolve kernel-netlink socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp Listening IP addresses: 84.16.235.61 84.16.242.145 84.16.226.65 84.16.242.146 Connections: kronecker.scientia.net: 84.16.235.61...77.37.6.134, dpddelay=30s kronecker.scientia.net: local: [C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net] uses public key authentication kronecker.scientia.net: cert: "C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net" kronecker.scientia.net: remote: [C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=kronecker.scientia.net] uses public key authentication kronecker.scientia.net: child: dynamic === dynamic , dpdaction=restart Security Associations: kronecker.scientia.net[17515]: ESTABLISHED 11 minutes ago, 84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=kronecker.scientia.net] kronecker.scientia.net[17515]: IKE SPIs: fb65e86e78eecb88_i 030a6e93bb445170_r*, public key reauthentication in 2 hours kronecker.scientia.net[17515]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 kronecker.scientia.net{17515}: INSTALLED, TUNNEL, ESP SPIs: c8f52903_i c8ab07bb_o kronecker.scientia.net{17515}: AES_CBC_256/HMAC_SHA1_96, 220 bytes_i, 0 bytes_o, rekeying in 35 minutes kronecker.scientia.net{17515}: 84.16.235.61/32 === 77.37.6.134/32 kronecker.scientia.net[18208]: ESTABLISHED 1 second ago, 84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=kronecker.scientia.net] kronecker.scientia.net[18208]: IKE SPIs: 6127ba544142a3a8_i* 2c54836e4ef29bbc_r, public key reauthentication in 2 hours kronecker.scientia.net[18208]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 kronecker.scientia.net{18208}: INSTALLED, TUNNEL, ESP SPIs: cd0a3fb5_i c83349d4_o kronecker.scientia.net{18208}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 45 minutes kronecker.scientia.net{18208}: 84.16.235.61/32 === 77.37.6.134/32 kronecker.scientia.net[18209]: CONNECTING, 84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=kronecker.scientia.net] kronecker.scientia.net[18209]: IKE SPIs: 3c56c8240442f4c9_i* c2885bfdc14f560b_r kronecker.scientia.net[18209]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 kronecker.scientia.net[18209]: Tasks active: IKE_CERT_PRE IKE_AUTHENTICATE IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE r...@hilbert:~# ipsec statusall Status of IKEv2 charon daemon (strongSwan 4.4.1): uptime: 10 hours, since Oct 04 00:46:50 2010 malloc: sbrk 8548352, mmap 528384, used 2462624, free 6085728 worker threads: 7 idle of 16, job queue load: 0, scheduled events: 14817 loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr resolve kernel-netlink socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp Listening IP addresses: 84.16.235.61 84.16.242.145 84.16.226.65 84.16.242.146 Connections: kronecker.scientia.net: 84.16.235.61...77.37.6.134, dpddelay=30s kronecker.scientia.net: local: [C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net] uses public key authentication kronecker.scientia.net: cert: "C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net" kronecker.scientia.net: remote: [C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=kronecker.scientia.net] uses public key authentication kronecker.scientia.net: child: dynamic === dynamic , dpdaction=restart Security Associations: kronecker.scientia.net[17515]: ESTABLISHED 11 minutes ago, 84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=kronecker.scientia.net] kronecker.scientia.net[17515]: IKE SPIs: fb65e86e78eecb88_i 030a6e93bb445170_r*, public key reauthentication in 2 hours kronecker.scientia.net[17515]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 kronecker.scientia.net{17515}: INSTALLED, TUNNEL, ESP SPIs: c8f52903_i c8ab07bb_o kronecker.scientia.net{17515}: AES_CBC_256/HMAC_SHA1_96, 220 bytes_i, 0 bytes_o, rekeying in 35 minutes kronecker.scientia.net{17515}: 84.16.235.61/32 === 77.37.6.134/32 kronecker.scientia.net[18209]: ESTABLISHED 1 second ago, 84.16.235.61[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=hilbert.scientia.net]...77.37.6.134[C=DE, ST=Freistaat Bayern, O=scientia.net, OU=Communications and Networking, CN=kronecker.scientia.net] kronecker.scientia.net[18209]: IKE SPIs: 3c56c8240442f4c9_i* c2885bfdc14f560b_r, public key reauthentication in 2 hours kronecker.scientia.net[18209]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 kronecker.scientia.net{18209}: INSTALLED, TUNNEL, ESP SPIs: cb22196e_i c843dc57_o kronecker.scientia.net{18209}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 48 minutes kronecker.scientia.net{18209}: 84.16.235.61/32 === 77.37.6.134/32 kronecker.scientia.net[18210]: CONNECTING, 84.16.235.61[%any]...77.37.6.134[%any] kronecker.scientia.net[18210]: IKE SPIs: 8102cd7e34a1634b_i* 0000000000000000_r kronecker.scientia.net[18210]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTHENTICATE IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE ########################################################################################################################################## Seems that one connection (17515) stays, and the other counts up. I made those ipsec statusall directly after each other. Any idea what I do wrong? Thanks in advance, Chris. _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
