[strongSwan] StrongSwan to CiscoASA connection fails every few days

Sat, 17 Jan 2015 03:15:07 -0800 

Hello list,
 
I'm using StrongSwan 5.2.0 running on CentOS6.5 the other end of the VPN is a 
Cisco ASA running 9.1(3)
 
Every few days the connection drops out and we have to do ipsec restart on the 
StrongSwan end. I've tried using IkeV1 and IkeV2 but it doesn't seem to make 
any difference. I'd be grateful if someone could give me some advice on where 
the problem might lie. I'm pretty stumped I'm afraid.
 
The connection died around 08:22 this morning. I've attached the messages file 
and some config
 
Here's a ipsec statusall from the StrongSwan box right now...
 
Status of IKE charon daemon (strongSwan 5.2.0, Linux 2.6.32-504.3.3.el6.x86_64, 
x86_64):
  uptime: 41 hours, since Jan 15 17:09:11 2015
  malloc: sbrk 270336, mmap 0, used 205008, free 65328
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 2
  loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation 
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp 
xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown 
xauth-generic unity
Listening IP addresses:
  10.1.1.1
Connections:
    ciscoios:  10.1.1.1...444.444.444.444  IKEv2
    ciscoios:   local:  [10.1.1.1] uses pre-shared key authentication
    ciscoios:   remote: [444.444.444.444] uses pre-shared key authentication
    ciscoios:   child:  10.1.0.0/16 === 192.168.0.0/16 TUNNEL
Security Associations (0 up, 0 connecting):
  none
 
And some stats from the ASA
 
ASA# sh crypto ikev2 sa
 
There are no IKEv2 SAs
ASA# sh crypto ipsec sa
 
There are no ipsec sas
If I restart the connection here's what the statusall looks like
 
Status of IKE charon daemon (strongSwan 5.2.0, Linux 2.6.32-504.3.3.el6.x86_64, 
x86_64):
  uptime: 22 seconds, since Jan 17 10:58:27 2015
  malloc: sbrk 270336, mmap 0, used 205008, free 65328
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 3
  loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation 
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp 
xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown 
xauth-generic unity
Listening IP addresses:
  10.1.1.1
Connections:
    ciscoios:  10.1.1.1...444.444.444.444  IKEv2
    ciscoios:   local:  [10.1.1.1] uses pre-shared key authentication
    ciscoios:   remote: [444.444.444.444] uses pre-shared key authentication
    ciscoios:   child:  10.1.0.0/16 === 192.168.0.0/16 TUNNEL
Security Associations (1 up, 0 connecting):
    ciscoios[1]: ESTABLISHED 22 seconds ago, 
10.1.1.1[10.1.1.1]...444.444.444.444[444.444.444.444]
    ciscoios[1]: IKEv2 SPIs: de5d948f9c8f22af_i* cb7c5a2906edd007_r, pre-shared 
key reauthentication in 23 hours
    ciscoios[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_SHA1/MODP_1536
    ciscoios{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c96684fa_i 94701406_o
    ciscoios{1}:  AES_CBC_128/HMAC_SHA1_96, 2436 bytes_i (29 pkts, 1s ago), 
2436 bytes_o (29 pkts, 1s ago), rekeying in 54 minutes
    ciscoios{1}:   10.1.0.0/16 === 192.168.0.0/16 
 
And here's some stats from the ASA
 
ASA# sh crypto ikev2 sa detail
 
IKEv2 SAs:
 
Session-id:22, Status:UP-ACTIVE, IKE count:1, CHILD count:1
 
Tunnel-id                                Local                      Remote     
Status       Role
321156029    444.444.444.444/4500    333.333.333.333/4500      READY    
RESPONDER
          Encr: AES-CBC, keysize: 128, Hash: MD596, DH Grp:5, Auth sign: PSK, 
Auth verify: PSK
          Life/Active Time: 86400/163 sec
          Session-id: 22
          Status Description: Negotiation done
          Local spi: 07D0ED06295A7CCB       Remote spi: AF228F9C8F945DDE
          Local id: 444.444.444.444
          Remote id: 10.1.1.1
          Local req mess id: 0                     Remote req mess id: 2
          Local next mess id: 0                   Remote next mess id: 2
          Local req queued: 0                       Remote req queued: 2
          Local window: 1                           Remote window: 1
          DPD configured for 10 seconds, retry 2
          NAT-T is detected  outside
Child sa: local selector  192.168.0.0/0 - 192.168.255.255/65535
                  remote selector 10.1.0.0/0 - 10.1.255.255/65535
                  ESP spi in/out: 0x94701406/0xc96684fa
                  AH spi in/out: 0x0/0x0
                  CPI in/out: 0x0/0x0
                  Encr: AES-CBC, keysize: 128, esp_hmac: SHA96
                  ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
 
ASA# sh crypto ipsec sa
interface: OUTSIDE
    Crypto map tag: mymap, seq num: 1, local addr: 444.444.444.444
 
          access-list AWSInt-VPN-ACL extended permit ip 192.168.0.0 255.255.0.0 
10.1.0.0 255.255.0.0
          local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
          remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
          current_peer: 333.333.333.333
 
          #pkts encaps: 443, #pkts encrypt: 443, #pkts digest: 443
          #pkts decaps: 443, #pkts decrypt: 443, #pkts verify: 443
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 443, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing 
reassembly: 0
          #TFC rcvd: 0, #TFC sent: 0
          #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
          #send errors: 0, #recv errors: 0
 
          local crypto endpt.: 444.444.444.444/4500, remote crypto endpt.: 
333.333.333.333/4500
          path mtu 1500, ipsec overhead 82(52), media mtu 1500
          PMTU time remaining (sec): 0, DF policy: copy-df
          ICMP error validation: disabled, TFC packets: disabled
          current outbound spi: C96684FA
          current inbound spi : 94701406
 
    inbound esp sas:
          spi: 0x94701406 (2490373126)
                 transform: esp-aes esp-sha-hmac no compression
                 in use settings ={L2L, Tunnel,  NAT-T-Encaps, IKEv2, }
                 slot: 0, conn_id: 598016, crypto-map: mymap
                 sa timing: remaining key lifetime (kB/sec): (4008923/28564)
                 IV size: 16 bytes
                 replay detection support: Y
                 Anti replay bitmap:
                  0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
          spi: 0xC96684FA (3378939130)
                 transform: esp-aes esp-sha-hmac no compression
                 in use settings ={L2L, Tunnel,  NAT-T-Encaps, IKEv2, }
                 slot: 0, conn_id: 598016, crypto-map: mymap
                 sa timing: remaining key lifetime (kB/sec): (4331483/28564)
                 IV size: 16 bytes
                 replay detection support: Y
                 Anti replay bitmap:
                  0x00000000 0x00000001
 
Any advice will be gratefully received.
 
Cheers,
 
 
Tormod
 
 
 


Please consider the environment before printing this email

*********************************************************************
  This e-mail and any attachments are confidential.  If it is not for you, 
please inform us and delete it immediately without disclosing, copying, or 
distributing it.  If the content is not about the business of PayWizard Group 
PLC or its clients, then it is neither from nor sanctioned by PayWizard Group 
PLC.  Use of this or any other PayWizard Group PLC e-mail facility signifies 
consent to interception by PayWizard Group PLC.  The views expressed in this 
email or any attachments may not reflect the views and opinions of PayWizard 
Group PLC.  This message has been scanned for viruses and dangerous content by 
MailScanner, but PayWizard Group PLC accepts no liability for any damage caused 
by the transmission of any viruses.  PayWizard Group PLC is a public limited 
company registered in Scotland (SC175703) with its registered office at Cluny 
Court, John Smith Business Park, Kirkcaldy, Fife, KY2 6QJ.  
********************************************************************

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


access-list VPN-ACL extended permit ip 192.168.0.0 255.255.0.0 10.1.0.0 
255.255.0.0
crypto ipsec ikev2 ipsec-proposal my-proposal
 protocol esp encryption aes
 protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map mymap 1 match address VPN-ACL
crypto map mymap 1 set peer 333.333.333.333
crypto map mymap 1 set ikev2 ipsec-proposal my-proposal
crypto map mymap interface OUTSIDE
crypto ca trustpool policy
crypto ikev2 policy 10
 encryption aes
 integrity md5
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 enable OUTSIDE
tunnel-group 333.333.333.333 type ipsec-l2l
tunnel-group 333.333.333.333 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

Attachment: ipsec.conf
Description: Binary data

Jan 17 00:25:06 ip-10-130-68-12 charon: 16[KNL] creating rekey job for ESP 
CHILD_SA with SPI 4035b91b and reqid {1}
Jan 17 00:25:06 ip-10-130-68-12 charon: 14[IKE] establishing CHILD_SA 
ciscoios{1}
Jan 17 00:25:06 ip-10-130-68-12 charon: 14[ENC] generating CREATE_CHILD_SA 
request 16 [ N(REKEY_SA) SA No TSi TSr ]
Jan 17 00:25:06 ip-10-130-68-12 charon: 14[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (316 bytes)
Jan 17 00:25:06 ip-10-130-68-12 charon: 02[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (236 bytes)
Jan 17 00:25:06 ip-10-130-68-12 charon: 02[ENC] parsed CREATE_CHILD_SA response 
16 [ SA No TSi TSr ]
Jan 17 00:25:06 ip-10-130-68-12 charon: 02[IKE] CHILD_SA ciscoios{1} 
established with SPIs cc93153d_i 2ed9ab1b_o and TS 10.1.0.0/16 === 
192.168.0.0/16 
Jan 17 00:25:06 ip-10-130-68-12 charon: 02[IKE] closing CHILD_SA ciscoios{1} 
with SPIs c7adcd50_i (760848 bytes) 4035b91b_o (760848 bytes) and TS 
10.1.0.0/16 === 192.168.0.0/16 
Jan 17 00:25:06 ip-10-130-68-12 charon: 02[IKE] sending DELETE for ESP CHILD_SA 
with SPI c7adcd50
Jan 17 00:25:06 ip-10-130-68-12 charon: 02[ENC] generating INFORMATIONAL 
request 17 [ D ]
Jan 17 00:25:06 ip-10-130-68-12 charon: 02[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (76 bytes)
Jan 17 00:25:06 ip-10-130-68-12 charon: 01[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (76 bytes)
Jan 17 00:25:06 ip-10-130-68-12 charon: 01[ENC] parsed INFORMATIONAL response 
17 [ D ]
Jan 17 00:25:06 ip-10-130-68-12 charon: 01[IKE] received DELETE for ESP 
CHILD_SA with SPI 4035b91b
Jan 17 00:25:06 ip-10-130-68-12 charon: 01[IKE] CHILD_SA closed
Jan 17 01:19:21 ip-10-130-68-12 charon: 01[KNL] creating rekey job for ESP 
CHILD_SA with SPI cc93153d and reqid {1}
Jan 17 01:19:21 ip-10-130-68-12 charon: 01[IKE] establishing CHILD_SA 
ciscoios{1}
Jan 17 01:19:21 ip-10-130-68-12 charon: 01[ENC] generating CREATE_CHILD_SA 
request 18 [ N(REKEY_SA) SA No TSi TSr ]
Jan 17 01:19:21 ip-10-130-68-12 charon: 01[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (316 bytes)
Jan 17 01:19:21 ip-10-130-68-12 charon: 10[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (236 bytes)
Jan 17 01:19:21 ip-10-130-68-12 charon: 10[ENC] parsed CREATE_CHILD_SA response 
18 [ SA No TSi TSr ]
Jan 17 01:19:21 ip-10-130-68-12 charon: 10[IKE] CHILD_SA ciscoios{1} 
established with SPIs cf3274e1_i 07b341c3_o and TS 10.1.0.0/16 === 
192.168.0.0/16 
Jan 17 01:19:21 ip-10-130-68-12 charon: 10[IKE] closing CHILD_SA ciscoios{1} 
with SPIs cc93153d_i (725496 bytes) 2ed9ab1b_o (725496 bytes) and TS 
10.1.0.0/16 === 192.168.0.0/16 
Jan 17 01:19:21 ip-10-130-68-12 charon: 10[IKE] sending DELETE for ESP CHILD_SA 
with SPI cc93153d
Jan 17 01:19:21 ip-10-130-68-12 charon: 10[ENC] generating INFORMATIONAL 
request 19 [ D ]
Jan 17 01:19:21 ip-10-130-68-12 charon: 10[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (76 bytes)
Jan 17 01:19:21 ip-10-130-68-12 charon: 08[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (76 bytes)
Jan 17 01:19:21 ip-10-130-68-12 charon: 08[ENC] parsed INFORMATIONAL response 
19 [ D ]
Jan 17 01:19:21 ip-10-130-68-12 charon: 08[IKE] received DELETE for ESP 
CHILD_SA with SPI 2ed9ab1b
Jan 17 01:19:21 ip-10-130-68-12 charon: 08[IKE] CHILD_SA closed
Jan 17 02:14:39 ip-10-130-68-12 charon: 13[KNL] creating rekey job for ESP 
CHILD_SA with SPI cf3274e1 and reqid {1}
Jan 17 02:14:39 ip-10-130-68-12 charon: 13[IKE] establishing CHILD_SA 
ciscoios{1}
Jan 17 02:14:39 ip-10-130-68-12 charon: 13[ENC] generating CREATE_CHILD_SA 
request 20 [ N(REKEY_SA) SA No TSi TSr ]
Jan 17 02:14:39 ip-10-130-68-12 charon: 13[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (316 bytes)
Jan 17 02:14:39 ip-10-130-68-12 charon: 15[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (236 bytes)
Jan 17 02:14:39 ip-10-130-68-12 charon: 15[ENC] parsed CREATE_CHILD_SA response 
20 [ SA No TSi TSr ]
Jan 17 02:14:39 ip-10-130-68-12 charon: 15[IKE] CHILD_SA ciscoios{1} 
established with SPIs c4b2deec_i 6c8ea0a1_o and TS 10.1.0.0/16 === 
192.168.0.0/16 
Jan 17 02:14:39 ip-10-130-68-12 charon: 15[IKE] closing CHILD_SA ciscoios{1} 
with SPIs cf3274e1_i (739464 bytes) 07b341c3_o (739464 bytes) and TS 
10.1.0.0/16 === 192.168.0.0/16 
Jan 17 02:14:39 ip-10-130-68-12 charon: 15[IKE] sending DELETE for ESP CHILD_SA 
with SPI cf3274e1
Jan 17 02:14:39 ip-10-130-68-12 charon: 15[ENC] generating INFORMATIONAL 
request 21 [ D ]
Jan 17 02:14:39 ip-10-130-68-12 charon: 15[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (76 bytes)
Jan 17 02:14:39 ip-10-130-68-12 charon: 14[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (76 bytes)
Jan 17 02:14:39 ip-10-130-68-12 charon: 14[ENC] parsed INFORMATIONAL response 
21 [ D ]
Jan 17 02:14:39 ip-10-130-68-12 charon: 14[IKE] received DELETE for ESP 
CHILD_SA with SPI 07b341c3
Jan 17 02:14:39 ip-10-130-68-12 charon: 14[IKE] CHILD_SA closed
Jan 17 03:10:56 ip-10-130-68-12 charon: 08[KNL] creating rekey job for ESP 
CHILD_SA with SPI 6c8ea0a1 and reqid {1}
Jan 17 03:10:56 ip-10-130-68-12 charon: 08[IKE] establishing CHILD_SA 
ciscoios{1}
Jan 17 03:10:56 ip-10-130-68-12 charon: 08[ENC] generating CREATE_CHILD_SA 
request 22 [ N(REKEY_SA) SA No TSi TSr ]
Jan 17 03:10:56 ip-10-130-68-12 charon: 08[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (316 bytes)
Jan 17 03:10:56 ip-10-130-68-12 charon: 11[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (236 bytes)
Jan 17 03:10:56 ip-10-130-68-12 charon: 11[ENC] parsed CREATE_CHILD_SA response 
22 [ SA No TSi TSr ]
Jan 17 03:10:56 ip-10-130-68-12 charon: 11[IKE] CHILD_SA ciscoios{1} 
established with SPIs ce0a9ed9_i dd0b89a3_o and TS 10.1.0.0/16 === 
192.168.0.0/16 
Jan 17 03:10:56 ip-10-130-68-12 charon: 11[IKE] closing CHILD_SA ciscoios{1} 
with SPIs c4b2deec_i (752412 bytes) 6c8ea0a1_o (752412 bytes) and TS 
10.1.0.0/16 === 192.168.0.0/16 
Jan 17 03:10:56 ip-10-130-68-12 charon: 11[IKE] sending DELETE for ESP CHILD_SA 
with SPI c4b2deec
Jan 17 03:10:56 ip-10-130-68-12 charon: 11[ENC] generating INFORMATIONAL 
request 23 [ D ]
Jan 17 03:10:56 ip-10-130-68-12 charon: 11[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (76 bytes)
Jan 17 03:10:56 ip-10-130-68-12 charon: 13[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (76 bytes)
Jan 17 03:10:56 ip-10-130-68-12 charon: 13[ENC] parsed INFORMATIONAL response 
23 [ D ]
Jan 17 03:10:56 ip-10-130-68-12 charon: 13[IKE] received DELETE for ESP 
CHILD_SA with SPI 6c8ea0a1
Jan 17 03:10:56 ip-10-130-68-12 charon: 13[IKE] CHILD_SA closed
Jan 17 04:06:53 ip-10-130-68-12 charon: 16[KNL] creating rekey job for ESP 
CHILD_SA with SPI dd0b89a3 and reqid {1}
Jan 17 04:06:53 ip-10-130-68-12 charon: 16[IKE] establishing CHILD_SA 
ciscoios{1}
Jan 17 04:06:53 ip-10-130-68-12 charon: 16[ENC] generating CREATE_CHILD_SA 
request 24 [ N(REKEY_SA) SA No TSi TSr ]
Jan 17 04:06:53 ip-10-130-68-12 charon: 16[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (316 bytes)
Jan 17 04:06:53 ip-10-130-68-12 charon: 01[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (236 bytes)
Jan 17 04:06:53 ip-10-130-68-12 charon: 01[ENC] parsed CREATE_CHILD_SA response 
24 [ SA No TSi TSr ]
Jan 17 04:06:53 ip-10-130-68-12 charon: 01[IKE] CHILD_SA ciscoios{1} 
established with SPIs c5c2f3db_i 8e42fe4b_o and TS 10.1.0.0/16 === 
192.168.0.0/16 
Jan 17 04:06:53 ip-10-130-68-12 charon: 01[IKE] closing CHILD_SA ciscoios{1} 
with SPIs ce0a9ed9_i (748188 bytes) dd0b89a3_o (748188 bytes) and TS 
10.1.0.0/16 === 192.168.0.0/16 
Jan 17 04:06:53 ip-10-130-68-12 charon: 01[IKE] sending DELETE for ESP CHILD_SA 
with SPI ce0a9ed9
Jan 17 04:06:53 ip-10-130-68-12 charon: 01[ENC] generating INFORMATIONAL 
request 25 [ D ]
Jan 17 04:06:53 ip-10-130-68-12 charon: 01[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (76 bytes)
Jan 17 04:06:53 ip-10-130-68-12 charon: 09[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (76 bytes)
Jan 17 04:06:53 ip-10-130-68-12 charon: 09[ENC] parsed INFORMATIONAL response 
25 [ D ]
Jan 17 04:06:53 ip-10-130-68-12 charon: 09[IKE] received DELETE for ESP 
CHILD_SA with SPI dd0b89a3
Jan 17 04:06:53 ip-10-130-68-12 charon: 09[IKE] CHILD_SA closed
Jan 17 05:01:55 ip-10-130-68-12 charon: 10[KNL] creating rekey job for ESP 
CHILD_SA with SPI 8e42fe4b and reqid {1}
Jan 17 05:01:55 ip-10-130-68-12 charon: 10[IKE] establishing CHILD_SA 
ciscoios{1}
Jan 17 05:01:55 ip-10-130-68-12 charon: 10[ENC] generating CREATE_CHILD_SA 
request 26 [ N(REKEY_SA) SA No TSi TSr ]
Jan 17 05:01:55 ip-10-130-68-12 charon: 10[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (316 bytes)
Jan 17 05:01:55 ip-10-130-68-12 charon: 03[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (236 bytes)
Jan 17 05:01:55 ip-10-130-68-12 charon: 03[ENC] parsed CREATE_CHILD_SA response 
26 [ SA No TSi TSr ]
Jan 17 05:01:55 ip-10-130-68-12 charon: 03[IKE] CHILD_SA ciscoios{1} 
established with SPIs c7f0085d_i b8d152a9_o and TS 10.1.0.0/16 === 
192.168.0.0/16 
Jan 17 05:01:55 ip-10-130-68-12 charon: 03[IKE] closing CHILD_SA ciscoios{1} 
with SPIs c5c2f3db_i (735984 bytes) 8e42fe4b_o (735984 bytes) and TS 
10.1.0.0/16 === 192.168.0.0/16 
Jan 17 05:01:55 ip-10-130-68-12 charon: 03[IKE] sending DELETE for ESP CHILD_SA 
with SPI c5c2f3db
Jan 17 05:01:55 ip-10-130-68-12 charon: 03[ENC] generating INFORMATIONAL 
request 27 [ D ]
Jan 17 05:01:55 ip-10-130-68-12 charon: 03[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (76 bytes)
Jan 17 05:01:55 ip-10-130-68-12 charon: 11[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (76 bytes)
Jan 17 05:01:55 ip-10-130-68-12 charon: 11[ENC] parsed INFORMATIONAL response 
27 [ D ]
Jan 17 05:01:55 ip-10-130-68-12 charon: 11[IKE] received DELETE for ESP 
CHILD_SA with SPI 8e42fe4b
Jan 17 05:01:55 ip-10-130-68-12 charon: 11[IKE] CHILD_SA closed
Jan 17 05:57:57 ip-10-130-68-12 charon: 14[KNL] creating rekey job for ESP 
CHILD_SA with SPI c7f0085d and reqid {1}
Jan 17 05:57:57 ip-10-130-68-12 charon: 14[IKE] establishing CHILD_SA 
ciscoios{1}
Jan 17 05:57:57 ip-10-130-68-12 charon: 14[ENC] generating CREATE_CHILD_SA 
request 28 [ N(REKEY_SA) SA No TSi TSr ]
Jan 17 05:57:57 ip-10-130-68-12 charon: 14[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (316 bytes)
Jan 17 05:57:57 ip-10-130-68-12 charon: 02[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (236 bytes)
Jan 17 05:57:57 ip-10-130-68-12 charon: 02[ENC] parsed CREATE_CHILD_SA response 
28 [ SA No TSi TSr ]
Jan 17 05:57:57 ip-10-130-68-12 charon: 02[IKE] CHILD_SA ciscoios{1} 
established with SPIs c05b3e0e_i dea2fe4f_o and TS 10.1.0.0/16 === 
192.168.0.0/16 
Jan 17 05:57:57 ip-10-130-68-12 charon: 02[IKE] closing CHILD_SA ciscoios{1} 
with SPIs c7f0085d_i (749220 bytes) b8d152a9_o (749220 bytes) and TS 
10.1.0.0/16 === 192.168.0.0/16 
Jan 17 05:57:57 ip-10-130-68-12 charon: 02[IKE] sending DELETE for ESP CHILD_SA 
with SPI c7f0085d
Jan 17 05:57:57 ip-10-130-68-12 charon: 02[ENC] generating INFORMATIONAL 
request 29 [ D ]
Jan 17 05:57:57 ip-10-130-68-12 charon: 02[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (76 bytes)
Jan 17 05:57:57 ip-10-130-68-12 charon: 01[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (76 bytes)
Jan 17 05:57:57 ip-10-130-68-12 charon: 01[ENC] parsed INFORMATIONAL response 
29 [ D ]
Jan 17 05:57:57 ip-10-130-68-12 charon: 01[IKE] received DELETE for ESP 
CHILD_SA with SPI b8d152a9
Jan 17 05:57:57 ip-10-130-68-12 charon: 01[IKE] CHILD_SA closed
Jan 17 06:52:02 ip-10-130-68-12 charon: 16[KNL] creating rekey job for ESP 
CHILD_SA with SPI dea2fe4f and reqid {1}
Jan 17 06:52:02 ip-10-130-68-12 charon: 16[IKE] establishing CHILD_SA 
ciscoios{1}
Jan 17 06:52:02 ip-10-130-68-12 charon: 16[ENC] generating CREATE_CHILD_SA 
request 30 [ N(REKEY_SA) SA No TSi TSr ]
Jan 17 06:52:02 ip-10-130-68-12 charon: 16[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (316 bytes)
Jan 17 06:52:02 ip-10-130-68-12 charon: 01[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (236 bytes)
Jan 17 06:52:02 ip-10-130-68-12 charon: 01[ENC] parsed CREATE_CHILD_SA response 
30 [ SA No TSi TSr ]
Jan 17 06:52:02 ip-10-130-68-12 charon: 01[IKE] CHILD_SA ciscoios{1} 
established with SPIs c5af6416_i 50941904_o and TS 10.1.0.0/16 === 
192.168.0.0/16 
Jan 17 06:52:02 ip-10-130-68-12 charon: 01[IKE] closing CHILD_SA ciscoios{1} 
with SPIs c05b3e0e_i (723156 bytes) dea2fe4f_o (723156 bytes) and TS 
10.1.0.0/16 === 192.168.0.0/16 
Jan 17 06:52:02 ip-10-130-68-12 charon: 01[IKE] sending DELETE for ESP CHILD_SA 
with SPI c05b3e0e
Jan 17 06:52:02 ip-10-130-68-12 charon: 01[ENC] generating INFORMATIONAL 
request 31 [ D ]
Jan 17 06:52:02 ip-10-130-68-12 charon: 01[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (76 bytes)
Jan 17 06:52:02 ip-10-130-68-12 charon: 09[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (76 bytes)
Jan 17 06:52:02 ip-10-130-68-12 charon: 09[ENC] parsed INFORMATIONAL response 
31 [ D ]
Jan 17 06:52:02 ip-10-130-68-12 charon: 09[IKE] received DELETE for ESP 
CHILD_SA with SPI dea2fe4f
Jan 17 06:52:02 ip-10-130-68-12 charon: 09[IKE] CHILD_SA closed
Jan 17 07:48:02 ip-10-130-68-12 charon: 11[KNL] creating rekey job for ESP 
CHILD_SA with SPI c5af6416 and reqid {1}
Jan 17 07:48:02 ip-10-130-68-12 charon: 11[IKE] establishing CHILD_SA 
ciscoios{1}
Jan 17 07:48:02 ip-10-130-68-12 charon: 11[ENC] generating CREATE_CHILD_SA 
request 32 [ N(REKEY_SA) SA No TSi TSr ]
Jan 17 07:48:02 ip-10-130-68-12 charon: 11[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (316 bytes)
Jan 17 07:48:02 ip-10-130-68-12 charon: 12[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (236 bytes)
Jan 17 07:48:02 ip-10-130-68-12 charon: 12[ENC] parsed CREATE_CHILD_SA response 
32 [ SA No TSi TSr ]
Jan 17 07:48:02 ip-10-130-68-12 charon: 12[IKE] CHILD_SA ciscoios{1} 
established with SPIs c1187d8e_i 166f138c_o and TS 10.1.0.0/16 === 
192.168.0.0/16 
Jan 17 07:48:02 ip-10-130-68-12 charon: 12[IKE] closing CHILD_SA ciscoios{1} 
with SPIs c5af6416_i (748872 bytes) 50941904_o (748872 bytes) and TS 
10.1.0.0/16 === 192.168.0.0/16 
Jan 17 07:48:02 ip-10-130-68-12 charon: 12[IKE] sending DELETE for ESP CHILD_SA 
with SPI c5af6416
Jan 17 07:48:02 ip-10-130-68-12 charon: 12[ENC] generating INFORMATIONAL 
request 33 [ D ]
Jan 17 07:48:02 ip-10-130-68-12 charon: 12[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (76 bytes)
Jan 17 07:48:02 ip-10-130-68-12 charon: 15[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (76 bytes)
Jan 17 07:48:02 ip-10-130-68-12 charon: 15[ENC] parsed INFORMATIONAL response 
33 [ D ]
Jan 17 07:48:02 ip-10-130-68-12 charon: 15[IKE] received DELETE for ESP 
CHILD_SA with SPI 50941904
Jan 17 07:48:02 ip-10-130-68-12 charon: 15[IKE] CHILD_SA closed
Jan 17 08:22:47 ip-10-130-68-12 charon: 12[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (76 bytes)
Jan 17 08:22:47 ip-10-130-68-12 charon: 12[ENC] parsed INFORMATIONAL request 0 
[ ]
Jan 17 08:22:47 ip-10-130-68-12 charon: 12[ENC] generating INFORMATIONAL 
response 0 [ ]
Jan 17 08:22:47 ip-10-130-68-12 charon: 12[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (76 bytes)
Jan 17 08:22:49 ip-10-130-68-12 charon: 15[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (76 bytes)
Jan 17 08:22:49 ip-10-130-68-12 charon: 15[ENC] parsed INFORMATIONAL request 0 
[ ]
Jan 17 08:22:49 ip-10-130-68-12 charon: 15[IKE] received retransmit of request 
with ID 0, retransmitting response
Jan 17 08:22:49 ip-10-130-68-12 charon: 15[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (76 bytes)
Jan 17 08:22:51 ip-10-130-68-12 charon: 14[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (76 bytes)
Jan 17 08:22:51 ip-10-130-68-12 charon: 14[ENC] parsed INFORMATIONAL request 0 
[ ]
Jan 17 08:22:51 ip-10-130-68-12 charon: 14[IKE] received retransmit of request 
with ID 0, retransmitting response
Jan 17 08:22:51 ip-10-130-68-12 charon: 14[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (76 bytes)
Jan 17 08:22:53 ip-10-130-68-12 charon: 16[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (76 bytes)
Jan 17 08:22:53 ip-10-130-68-12 charon: 16[ENC] parsed INFORMATIONAL request 0 
[ ]
Jan 17 08:22:53 ip-10-130-68-12 charon: 16[IKE] received retransmit of request 
with ID 0, retransmitting response
Jan 17 08:22:53 ip-10-130-68-12 charon: 16[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (76 bytes)
Jan 17 08:22:55 ip-10-130-68-12 charon: 01[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (76 bytes)
Jan 17 08:22:55 ip-10-130-68-12 charon: 01[ENC] parsed INFORMATIONAL request 0 
[ ]
Jan 17 08:22:55 ip-10-130-68-12 charon: 01[IKE] received retransmit of request 
with ID 0, retransmitting response
Jan 17 08:22:55 ip-10-130-68-12 charon: 01[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (76 bytes)
Jan 17 08:22:57 ip-10-130-68-12 charon: 09[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (76 bytes)
Jan 17 08:22:57 ip-10-130-68-12 charon: 09[ENC] parsed INFORMATIONAL request 0 
[ ]
Jan 17 08:22:57 ip-10-130-68-12 charon: 09[IKE] received retransmit of request 
with ID 0, retransmitting response
Jan 17 08:22:57 ip-10-130-68-12 charon: 09[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (76 bytes)
Jan 17 08:22:59 ip-10-130-68-12 charon: 10[NET] received packet: from 
444.444.444.444[4500] to 10.1.1.1[4500] (76 bytes)
Jan 17 08:22:59 ip-10-130-68-12 charon: 10[ENC] parsed INFORMATIONAL request 0 
[ ]
Jan 17 08:22:59 ip-10-130-68-12 charon: 10[IKE] received retransmit of request 
with ID 0, retransmitting response
Jan 17 08:22:59 ip-10-130-68-12 charon: 10[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (76 bytes)
Jan 17 08:42:17 ip-10-130-68-12 charon: 02[KNL] creating rekey job for ESP 
CHILD_SA with SPI c1187d8e and reqid {1}
Jan 17 08:42:17 ip-10-130-68-12 charon: 02[IKE] establishing CHILD_SA 
ciscoios{1}
Jan 17 08:42:17 ip-10-130-68-12 charon: 02[ENC] generating CREATE_CHILD_SA 
request 34 [ N(REKEY_SA) SA No TSi TSr ]
Jan 17 08:42:17 ip-10-130-68-12 charon: 02[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (316 bytes)
Jan 17 08:42:21 ip-10-130-68-12 charon: 10[IKE] retransmit 1 of request with 
message ID 34
Jan 17 08:42:21 ip-10-130-68-12 charon: 10[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (316 bytes)
Jan 17 08:42:28 ip-10-130-68-12 charon: 08[IKE] retransmit 2 of request with 
message ID 34
Jan 17 08:42:28 ip-10-130-68-12 charon: 08[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (316 bytes)
Jan 17 08:42:33 ip-10-130-68-12 charon: 03[KNL] creating rekey job for ESP 
CHILD_SA with SPI 166f138c and reqid {1}
Jan 17 08:42:41 ip-10-130-68-12 charon: 12[IKE] retransmit 3 of request with 
message ID 34
Jan 17 08:42:41 ip-10-130-68-12 charon: 12[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (316 bytes)
Jan 17 08:43:05 ip-10-130-68-12 charon: 16[IKE] retransmit 4 of request with 
message ID 34
Jan 17 08:43:05 ip-10-130-68-12 charon: 16[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (316 bytes)
Jan 17 08:43:47 ip-10-130-68-12 charon: 10[IKE] retransmit 5 of request with 
message ID 34
Jan 17 08:43:47 ip-10-130-68-12 charon: 10[NET] sending packet: from 
10.1.1.1[4500] to 444.444.444.444[4500] (316 bytes)
Jan 17 08:45:02 ip-10-130-68-12 charon: 14[KNL] creating delete job for ESP 
CHILD_SA with SPI c4c0d45b and reqid {1}
Jan 17 08:45:02 ip-10-130-68-12 charon: 02[IKE] giving up after 5 retransmits
Jan 17 08:45:02 ip-10-130-68-12 vpn: - 444.444.444.444 192.168.0.0/16 == 
444.444.444.444 -- 10.1.1.1 == 10.1.0.0/16

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to