In case this shows you anything interesting, here is the strongswan output from bringing up the connection on the DUT:
# ipsec up rw initiating IKE_SA rw[3] to 192.168.1.3 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 192.168.1.208[500] to 192.168.1.3[500] (708 bytes) received packet: from 192.168.1.3[500] to 192.168.1.208[500] (465 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] received cert request for "C=US, ST=Illinois, L=Aurora, O=Westell, OU=Edge, CN=Chad" sending cert request for "C=US, O=T-Mobile USA, Inc., CN=T-Mobile USA, Inc. Engineering and Operations CA" sending cert request for "C=US, ST=Illinois, L=Aurora, O=Westell Technologies Inc., CN=www.westell.com, [email protected]" sending cert request for "C=US, ST=Illinois, L=Aurora, O=Westell, OU=Edge, CN=Chad" authentication of '192.168.1.208' (myself) with pre-shared key establishing CHILD_SA rw generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] sending packet: from 192.168.1.208[4500] to 192.168.1.3[4500] (476 bytes) received packet: from 192.168.1.3[4500] to 192.168.1.208[4500] (236 bytes) parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ] authentication of '192.168.1.3' with pre-shared key successful IKE_SA rw[3] established between 192.168.1.208[192.168.1.208]...192.168.1.3[192.168.1.3] scheduling reauthentication in 10258s maximum IKE_SA lifetime 10798s CHILD_SA rw{2} established with SPIs c57682c2_i c5319e18_o and TS 192.168.2.0/24 === 192.168.1.3/32 received AUTH_LIFETIME of 9941s, scheduling reauthentication in 9401s peer supports MOBIKE # # # # ip -s xfrm state src 192.168.1.208 dst 192.168.1.3 proto esp spi 0xc5319e18(3308363288) reqid 2(0x00000002) mode tunnel replay-window 32 seq 0x00000000 flag af-unspec (0x00100000) enc cbc(aes) 0xeee6c5a4c28d4ee8c6b98afb623d99e6 (128 bits) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 2726(sec), hard 3600(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2000-01-01 05:08:08 use - stats: replay-window 0 replay 0 failed 0 src 192.168.1.3 dst 192.168.1.208 proto esp spi 0xc57682c2(3312878274) reqid 2(0x00000002) mode tunnel replay-window 32 seq 0x00000000 flag af-unspec (0x00100000) enc cbc(aes) 0x729b243a6c19708bf825a2554d75c760 (128 bits) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 3013(sec), hard 3600(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2000-01-01 05:08:08 use - stats: replay-window 0 replay 0 failed 0 src 10.1.2.3 dst 10.2.3.4 proto esp spi 0x000014e5(5349) reqid 1(0x00000001) mode tunnel replay-window 0 seq 0x00000000 flag (0x00000000) auth-trunc hmac(sha1) 0x0102030405060708091011121314151617181920 (160 bits) 96 enc cbc(aes) 0x01020304050607080910111213141516 (128 bits) sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2000-01-01 05:01:23 use - stats: replay-window 0 replay 0 failed 0 -Chad _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
