Hello Alexis,
ipsec statusall does not show the configuration of PFS. But with
charondebug="cfg 2"
you can verify the PFS negotiation in the charon log.
Best regards
Andreas
On 03/18/2011 12:45 AM, Alexis Salinas wrote:
Hi All,
I'm wondering if someone knows how to check if PFS is enabled, and the DH group
being used by a given CHILD_SA.
From an older post (https://lists.strongswan.org/pipermail/users/2008-October/002822.html) I got
this "The modp option in the esp definition is ignored when setting up the first CHILD_SA as
part of the IKE_AUTH exchange. Separate DH factors are is used by CREATE_CHILD_SA exchanges
establishing additional CHILD_SAs or during IPSec SA rekeying. With this behaviour "Perfect
Forward Secrecy is achieved"."
So I configured a couple of gateways like shown below, but when I check 'ipsec
statusall' I don't see any reference to PFS on the second CHILD_SA.
I'm I doing something wrong?
Thanks in advance.
config setup
cachecrls=no
charonstart=yes
crlcheckinterval=0
plutostart=yes
strictcrlpolicy=no
nat_traversal=yes
plutodebug=none
charondebug="dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, enc 0,
lib 0"
#gw1-to-gw2
conn gw1-to-gw2
left=192.168.3.31
leftid=@H020109D0001
leftsubnet=172.22.0.0/24
leftnexthop=192.168.2.128
leftfirewall=yes
right=192.168.3.110
rightsubnet=10.0.0.0/24
ike=aes128-md5-modp1536!
esp=aes128-md5-modp1024!
keyexchange=ikev2
mobike=yes
ikelifetime=60m
keylife=20m
compress=no
authby=secret
dpdaction=restart
dpddelay=10
dpdtimeout=30
auto=add
keyingtries=1
rekeymargin=3m
forceencaps=yes
reauth=yes
#gw1-to-gw2-child2
conn gw1-to-gw2-child2
left=192.168.3.31
leftid=@H020109D0001
leftsubnet=172.22.1.0/24
leftnexthop=192.168.2.128
leftfirewall=yes
right=192.168.3.110
rightsubnet=10.1.0.0/24
ike=aes128-md5-modp1536!
esp=aes128-md5-modp1024!
keyexchange=ikev2
mobike=yes
ikelifetime=60m
keylife=20m
compress=no
authby=secret
dpdaction=restart
dpddelay=10
dpdtimeout=30
auto=add
keyingtries=1
rekeymargin=3m
forceencaps=yes
reauth=yes
Security Associations:
gw1-to-gw2[1]: ESTABLISHED 50 seconds ago,
192.168.3.31[H020109D0001]...192.168.3.110[192.168.3.110]
gw1-to-gw2[1]: IKE SPIs: e60a4f49fa294bcd_i* f6d5a905dfa97711_r, pre-shared key
reauthentication in 55 minutes
gw1-to-gw2[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
gw1-to-gw2{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c911f5f8_i cf631c91_o
gw1-to-gw2{1}: AES_CBC_128/HMAC_MD5_96, 0 bytes_i, 0 bytes_o, rekeying in 16
minutes
gw1-to-gw2{1}: 172.22.0.0/24 === 10.0.0.0/24
gw1-to-gw2-child2{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: c3013ecc_i c2eb28c9_o
gw1-to-gw2-child2{2}: AES_CBC_128/HMAC_MD5_96, 0 bytes_i, 0 bytes_o, rekeying
in 15 minutes
gw1-to-gw2-child2{2}: 172.22.1.0/24 === 10.1.0.0/24
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
-------------------------------------------------------------------------------
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
charondebug="cfg 2"
conn %default
ikelifetime=60m
keylife=2m
rekeymargin=10s
keyingtries=1
keyexchange=ikev2
ike=aes128-sha256-modp2048!
esp=aes128-sha256-modp1536!
mobike=no
conn net-net
left=192.168.0.1
leftcert=moonCert.pem
[email protected]
leftsubnet=10.1.0.0/16
leftfirewall=yes
right=192.168.0.2
[email protected]
rightsubnet=10.2.0.0/16
auto=add
-------------------------------------------------------------------------------
# Start charon daemon
Mar 18 10:17:09 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan
4.5.2dr3)
Mar 18 10:17:09 moon charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Mar 18 10:17:09 moon charon: 00[CFG] loaded ca certificate "C=CH, O=Linux
strongSwan, CN=strongSwan Root CA" from
'/etc/ipsec.d/cacerts/strongswanCert.pem'
Mar 18 10:17:09 moon charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Mar 18 10:17:09 moon charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Mar 18 10:17:09 moon charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Mar 18 10:17:09 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Mar 18 10:17:09 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mar 18 10:17:09 moon charon: 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/moonKey.pem'
Mar 18 10:17:09 moon charon: 00[KNL] listening on interfaces:
Mar 18 10:17:09 moon charon: 00[KNL] eth0
Mar 18 10:17:09 moon charon: 00[KNL] 192.168.0.1
Mar 18 10:17:09 moon charon: 00[KNL] fec0::1
Mar 18 10:17:09 moon charon: 00[KNL] fe80::fcfd:c0ff:fea8:1
Mar 18 10:17:09 moon charon: 00[KNL] eth1
Mar 18 10:17:09 moon charon: 00[KNL] 10.1.0.1
Mar 18 10:17:09 moon charon: 00[KNL] fec1::1
Mar 18 10:17:09 moon charon: 00[KNL] fe80::fcfd:aff:fe01:1
Mar 18 10:17:09 moon charon: 00[DMN] loaded plugins: curl aes des sha1 sha2 md5
pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink
socket-default updown
Mar 18 10:17:09 moon charon: 00[JOB] spawning 16 worker threads
Mar 18 10:17:09 moon charon: 08[CFG] received stroke: add connection 'net-net'
Mar 18 10:17:09 moon charon: 08[CFG] conn net-net
Mar 18 10:17:09 moon charon: 08[CFG] left=192.168.0.1
Mar 18 10:17:09 moon charon: 08[CFG] leftsubnet=10.1.0.0/16
Mar 18 10:17:09 moon charon: 08[CFG] leftsourceip=(null)
Mar 18 10:17:09 moon charon: 08[CFG] leftauth=(null)
Mar 18 10:17:09 moon charon: 08[CFG] leftauth2=(null)
Mar 18 10:17:09 moon charon: 08[CFG] [email protected]
Mar 18 10:17:09 moon charon: 08[CFG] leftid2=(null)
Mar 18 10:17:09 moon charon: 08[CFG] leftcert=moonCert.pem
Mar 18 10:17:09 moon charon: 08[CFG] leftcert2=(null)
Mar 18 10:17:09 moon charon: 08[CFG] leftca=(null)
Mar 18 10:17:09 moon charon: 08[CFG] leftca2=(null)
Mar 18 10:17:09 moon charon: 08[CFG] leftgroups=(null)
Mar 18 10:17:09 moon charon: 08[CFG] leftupdown=ipsec _updown iptables
Mar 18 10:17:09 moon charon: 08[CFG] right=192.168.0.2
Mar 18 10:17:09 moon charon: 08[CFG] rightsubnet=10.2.0.0/16
Mar 18 10:17:09 moon charon: 08[CFG] rightsourceip=(null)
Mar 18 10:17:09 moon charon: 08[CFG] rightauth=(null)
Mar 18 10:17:09 moon charon: 08[CFG] rightauth2=(null)
Mar 18 10:17:09 moon charon: 08[CFG] [email protected]
Mar 18 10:17:09 moon charon: 08[CFG] rightid2=(null)
Mar 18 10:17:09 moon charon: 08[CFG] rightcert=(null)
Mar 18 10:17:09 moon charon: 08[CFG] rightcert2=(null)
Mar 18 10:17:09 moon charon: 08[CFG] rightca=(null)
Mar 18 10:17:09 moon charon: 08[CFG] rightca2=(null)
Mar 18 10:17:09 moon charon: 08[CFG] rightgroups=(null)
Mar 18 10:17:09 moon charon: 08[CFG] rightupdown=(null)
Mar 18 10:17:09 moon charon: 08[CFG] eap_identity=(null)
Mar 18 10:17:09 moon charon: 08[CFG] aaa_identity=(null)
Mar 18 10:17:09 moon charon: 08[CFG] ike=aes128-sha256-modp2048!
Mar 18 10:17:09 moon charon: 08[CFG] esp=aes128-sha256-modp1536!
Mar 18 10:17:09 moon charon: 08[CFG] mediation=no
Mar 18 10:17:09 moon charon: 08[CFG] mediated_by=(null)
Mar 18 10:17:09 moon charon: 08[CFG] me_peerid=(null)
Mar 18 10:17:09 moon charon: 08[CFG] loaded certificate "C=CH, O=Linux
strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Mar 18 10:17:09 moon charon: 08[CFG] added configuration 'net-net'
-------------------------------------------------------------------------------
# Start up net-net connection: establish IKE_SA and CHILD_SA
Mar 18 10:17:16 moon charon: 13[CFG] received stroke: initiate 'net-net'
Mar 18 10:17:16 moon charon: 06[IKE] initiating IKE_SA net-net[1] to
192.168.0.2
Mar 18 10:17:16 moon charon: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 18 10:17:16 moon charon: 06[NET] sending packet: from 192.168.0.1[500] to
192.168.0.2[500]
Mar 18 10:17:16 moon charon: 05[NET] received packet: from 192.168.0.2[500] to
192.168.0.1[500]
Mar 18 10:17:16 moon charon: 05[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Mar 18 10:17:16 moon charon: 05[CFG] selecting proposal:
Mar 18 10:17:16 moon charon: 05[CFG] proposal matches
Mar 18 10:17:16 moon charon: 05[CFG] received proposals:
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 18 10:17:16 moon charon: 05[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 18 10:17:16 moon charon: 05[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 18 10:17:16 moon charon: 05[IKE] received cert request for "C=CH, O=Linux
strongSwan, CN=strongSwan Root CA"
Mar 18 10:17:16 moon charon: 05[IKE] sending cert request for "C=CH, O=Linux
strongSwan, CN=strongSwan Root CA"
Mar 18 10:17:16 moon charon: 05[IKE] authentication of 'moon.strongswan.org'
(myself) with RSA signature successful
Mar 18 10:17:16 moon charon: 05[IKE] sending end entity cert "C=CH, O=Linux
strongSwan, CN=moon.strongswan.org"
Mar 18 10:17:16 moon charon: 05[IKE] establishing CHILD_SA net-net
Mar 18 10:17:16 moon charon: 05[CFG] proposing traffic selectors for us:
Mar 18 10:17:16 moon charon: 05[CFG] 10.1.0.0/16 (derived from 10.1.0.0/16)
Mar 18 10:17:16 moon charon: 05[CFG] proposing traffic selectors for other:
Mar 18 10:17:16 moon charon: 05[CFG] 10.2.0.0/16 (derived from 10.2.0.0/16)
Mar 18 10:17:16 moon charon: 05[ENC] generating IKE_AUTH request 1 [ IDi CERT
N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
Mar 18 10:17:16 moon charon: 05[NET] sending packet: from 192.168.0.1[500] to
192.168.0.2[500]
Mar 18 10:17:17 moon charon: 04[NET] received packet: from 192.168.0.2[500] to
192.168.0.1[500]
Mar 18 10:17:17 moon charon: 04[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH
SA TSi TSr N(AUTH_LFT) ]
Mar 18 10:17:17 moon charon: 04[IKE] received end entity cert "C=CH, O=Linux
strongSwan, CN=sun.strongswan.org"
Mar 18 10:17:17 moon charon: 04[CFG] using certificate "C=CH, O=Linux
strongSwan, CN=sun.strongswan.org"
Mar 18 10:17:17 moon charon: 04[CFG] certificate "C=CH, O=Linux strongSwan,
CN=sun.strongswan.org" key: 2048 bit RSA
Mar 18 10:17:17 moon charon: 04[CFG] using trusted ca certificate "C=CH,
O=Linux strongSwan, CN=strongSwan Root CA"
Mar 18 10:17:17 moon charon: 04[CFG] checking certificate status of "C=CH,
O=Linux strongSwan, CN=sun.strongswan.org"
Mar 18 10:17:17 moon charon: 04[CFG] ocsp check skipped, no ocsp found
Mar 18 10:17:17 moon charon: 04[CFG] fetching crl from
'http://crl.strongswan.org/strongswan.crl' ...
Mar 18 10:17:17 moon charon: 04[CFG] using trusted certificate "C=CH, O=Linux
strongSwan, CN=strongSwan Root CA"
Mar 18 10:17:17 moon charon: 04[CFG] crl correctly signed by "C=CH, O=Linux
strongSwan, CN=strongSwan Root CA"
Mar 18 10:17:17 moon charon: 04[CFG] crl is valid: until Apr 16 23:30:03 2011
Mar 18 10:17:17 moon charon: 04[CFG] certificate status is good
Mar 18 10:17:17 moon charon: 04[CFG] certificate "C=CH, O=Linux strongSwan,
CN=strongSwan Root CA" key: 2048 bit RSA
Mar 18 10:17:17 moon charon: 04[CFG] reached self-signed root ca with a path
length of 0
Mar 18 10:17:17 moon charon: 04[IKE] authentication of 'sun.strongswan.org'
with RSA signature successful
Mar 18 10:17:17 moon charon: 04[IKE] IKE_SA net-net[1] established between
192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
Mar 18 10:17:17 moon charon: 04[IKE] scheduling reauthentication in 3588s
Mar 18 10:17:17 moon charon: 04[IKE] maximum IKE_SA lifetime 3598s
Mar 18 10:17:17 moon charon: 04[CFG] selecting proposal:
Mar 18 10:17:17 moon charon: 04[CFG] proposal matches
Mar 18 10:17:17 moon charon: 04[CFG] received proposals:
ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Mar 18 10:17:17 moon charon: 04[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ
Mar 18 10:17:17 moon charon: 04[CFG] selected proposal:
ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Mar 18 10:17:17 moon charon: 04[CFG] selecting traffic selectors for us:
Mar 18 10:17:17 moon charon: 04[CFG] config: 10.1.0.0/16, received:
10.1.0.0/16 => match: 10.1.0.0/16
Mar 18 10:17:17 moon charon: 04[CFG] selecting traffic selectors for other:
Mar 18 10:17:17 moon charon: 04[CFG] config: 10.2.0.0/16, received:
10.2.0.0/16 => match: 10.2.0.0/16
Mar 18 10:17:17 moon charon: 04[IKE] CHILD_SA net-net{1} established with SPIs
c65a8cd9_i cecef2ef_o and TS 10.1.0.0/16 === 10.2.0.0/16
Mar 18 10:17:17 moon charon: 04[IKE] received AUTH_LIFETIME of 3366s,
scheduling reauthentication in 3356s
Mar 18 10:18:30 moon charon: 15[CFG] proposing traffic selectors for us:
Mar 18 10:18:30 moon charon: 15[CFG] 10.1.0.0/16 (derived from 10.1.0.0/16)
Mar 18 10:18:30 moon charon: 15[CFG] proposing traffic selectors for other:
Mar 18 10:18:30 moon charon: 15[CFG] 10.2.0.0/16 (derived from 10.2.0.0/16)
Mar 18 10:18:43 moon charon: 01[CFG] proposing traffic selectors for us:
Mar 18 10:18:43 moon charon: 01[CFG] 10.1.0.0/16 (derived from 10.1.0.0/16)
Mar 18 10:18:43 moon charon: 01[CFG] proposing traffic selectors for other:
Mar 18 10:18:43 moon charon: 01[CFG] 10.2.0.0/16 (derived from 10.2.0.0/16)
Mar 18 10:18:58 moon charon: 09[KNL] creating rekey job for ESP CHILD_SA with
SPI cecef2ef and reqid {1}
Mar 18 10:18:58 moon charon: 06[IKE] establishing CHILD_SA net-net{1}
Mar 18 10:18:58 moon charon: 06[CFG] proposing traffic selectors for us:
Mar 18 10:18:58 moon charon: 06[CFG] 10.1.0.0/16 (derived from 10.1.0.0/16)
Mar 18 10:18:58 moon charon: 06[CFG] proposing traffic selectors for other:
Mar 18 10:18:58 moon charon: 06[CFG] 10.2.0.0/16 (derived from 10.2.0.0/16)
Mar 18 10:18:58 moon charon: 06[ENC] generating CREATE_CHILD_SA request 2 [
N(REKEY_SA) SA No KE TSi TSr ]
Mar 18 10:18:58 moon charon: 06[NET] sending packet: from 192.168.0.1[500] to
192.168.0.2[500]
Mar 18 10:18:58 moon charon: 05[NET] received packet: from 192.168.0.2[500] to
192.168.0.1[500]
Mar 18 10:18:58 moon charon: 05[ENC] parsed CREATE_CHILD_SA response 2 [ SA No
KE TSi TSr ]
Mar 18 10:18:58 moon charon: 05[CFG] selecting proposal:
Mar 18 10:18:58 moon charon: 05[CFG] proposal matches
Mar 18 10:18:58 moon charon: 05[CFG] received proposals:
ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ
Mar 18 10:18:58 moon charon: 05[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ
Mar 18 10:18:58 moon charon: 05[CFG] selected proposal:
ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ
Mar 18 10:18:58 moon charon: 05[CFG] selecting traffic selectors for us:
Mar 18 10:18:58 moon charon: 05[CFG] config: 10.1.0.0/16, received:
10.1.0.0/16 => match: 10.1.0.0/16
Mar 18 10:18:58 moon charon: 05[CFG] selecting traffic selectors for other:
Mar 18 10:18:58 moon charon: 05[CFG] config: 10.2.0.0/16, received:
10.2.0.0/16 => match: 10.2.0.0/16
Mar 18 10:18:58 moon charon: 05[IKE] CHILD_SA net-net{1} established with SPIs
c65719c1_i c5b686e4_o and TS 10.1.0.0/16 === 10.2.0.0/16
-------------------------------------------------------------------------------
moon ~ # ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.2dr3):
uptime: 94 seconds, since Mar 18 10:17:09 2011
malloc: sbrk 135168, mmap 0, used 87464, free 47704
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 3
loaded plugins: curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
revocation hmac xcbc stroke kernel-netlink socket-default updown
Listening IP addresses:
192.168.0.1
fec0::1
10.1.0.1
fec1::1
Connections:
net-net: 192.168.0.1...192.168.0.2
net-net: local: [moon.strongswan.org] uses public key authentication
net-net: cert: "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
net-net: remote: [sun.strongswan.org] uses any authentication
net-net: child: 10.1.0.0/16 === 10.2.0.0/16
Security Associations:
net-net[1]: ESTABLISHED 86 seconds ago,
192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
net-net[1]: IKE SPIs: 0c01492ce46c4f98_i* b5ad160a0c77e9b5_r, public key
reauthentication in 54 minutes
net-net[1]: IKE proposal:
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
net-net{1}: INSTALLED, TUNNEL, ESP SPIs: c65a8cd9_i cecef2ef_o
net-net{1}: AES_CBC_128/HMAC_SHA2_256_128, 168 bytes_i (3s ago), 168
bytes_o (3s ago), rekeying in 15 seconds
net-net{1}: 10.1.0.0/16 === 10.2.0.0/16
-------------------------------------------------------------------------------
# CHILD_SA rekeying
Mar 18 10:18:30 moon charon: 15[CFG] proposing traffic selectors for us:
Mar 18 10:18:30 moon charon: 15[CFG] 10.1.0.0/16 (derived from 10.1.0.0/16)
Mar 18 10:18:30 moon charon: 15[CFG] proposing traffic selectors for other:
Mar 18 10:18:30 moon charon: 15[CFG] 10.2.0.0/16 (derived from 10.2.0.0/16)
Mar 18 10:18:43 moon charon: 01[CFG] proposing traffic selectors for us:
Mar 18 10:18:43 moon charon: 01[CFG] 10.1.0.0/16 (derived from 10.1.0.0/16)
Mar 18 10:18:43 moon charon: 01[CFG] proposing traffic selectors for other:
Mar 18 10:18:43 moon charon: 01[CFG] 10.2.0.0/16 (derived from 10.2.0.0/16)
Mar 18 10:18:58 moon charon: 09[KNL] creating rekey job for ESP CHILD_SA with
SPI cecef2ef and reqid {1}
Mar 18 10:18:58 moon charon: 06[IKE] establishing CHILD_SA net-net{1}
Mar 18 10:18:58 moon charon: 06[CFG] proposing traffic selectors for us:
Mar 18 10:18:58 moon charon: 06[CFG] 10.1.0.0/16 (derived from 10.1.0.0/16)
Mar 18 10:18:58 moon charon: 06[CFG] proposing traffic selectors for other:
Mar 18 10:18:58 moon charon: 06[CFG] 10.2.0.0/16 (derived from 10.2.0.0/16)
Mar 18 10:18:58 moon charon: 06[ENC] generating CREATE_CHILD_SA request 2 [
N(REKEY_SA) SA No KE TSi TSr ]
Mar 18 10:18:58 moon charon: 06[NET] sending packet: from 192.168.0.1[500] to
192.168.0.2[500]
Mar 18 10:18:58 moon charon: 05[NET] received packet: from 192.168.0.2[500] to
192.168.0.1[500]
Mar 18 10:18:58 moon charon: 05[ENC] parsed CREATE_CHILD_SA response 2 [ SA No
KE TSi TSr ]
Mar 18 10:18:58 moon charon: 05[CFG] selecting proposal:
Mar 18 10:18:58 moon charon: 05[CFG] proposal matches
Mar 18 10:18:58 moon charon: 05[CFG] received proposals:
ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ
Mar 18 10:18:58 moon charon: 05[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ
Mar 18 10:18:58 moon charon: 05[CFG] selected proposal:
ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ
Mar 18 10:18:58 moon charon: 05[CFG] selecting traffic selectors for us:
Mar 18 10:18:58 moon charon: 05[CFG] config: 10.1.0.0/16, received:
10.1.0.0/16 => match: 10.1.0.0/16
Mar 18 10:18:58 moon charon: 05[CFG] selecting traffic selectors for other:
Mar 18 10:18:58 moon charon: 05[CFG] config: 10.2.0.0/16, received:
10.2.0.0/16 => match: 10.2.0.0/16
Mar 18 10:18:58 moon charon: 05[IKE] CHILD_SA net-net{1} established with SPIs
c65719c1_i c5b686e4_o and TS 10.1.0.0/16 === 10.2.0.0/16
-------------------------------------------------------------------------------
moon ~ # ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.2dr3):
uptime: 117 seconds, since Mar 18 10:17:10 2011
malloc: sbrk 135168, mmap 0, used 87504, free 47664
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 3
loaded plugins: curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
revocation hmac xcbc stroke kernel-netlink socket-default updown
Listening IP addresses:
192.168.0.1
fec0::1
10.1.0.1
fec1::1
Connections:
net-net: 192.168.0.1...192.168.0.2
net-net: local: [moon.strongswan.org] uses public key authentication
net-net: cert: "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
net-net: remote: [sun.strongswan.org] uses any authentication
net-net: child: 10.1.0.0/16 === 10.2.0.0/16
Security Associations:
net-net[1]: ESTABLISHED 109 seconds ago,
192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
net-net[1]: IKE SPIs: 0c01492ce46c4f98_i* b5ad160a0c77e9b5_r, public key
reauthentication in 54 minutes
net-net[1]: IKE proposal:
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
net-net{1}: INSTALLED, TUNNEL, ESP SPIs: c65719c1_i c5b686e4_o
net-net{1}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying
in 93 seconds
net-net{1}: 10.1.0.0/16 === 10.2.0.0/16
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
