[strongSwan] Fwd: [strongSwan-dev] config w/ multiple ios devices on a network...

Miroslav Svoboda Fri, 24 Apr 2015 11:58:49 -0700

This is the problem:
Apr 24 17:21:43 accel charon: 10[IKE] deleting duplicate IKE_SA for peer
'actmobile' due to uniqueness policy


Look for config option "uniqueids" here:
https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection

M.

Miroslav Svoboda | +420 608 224 486

On 24 April 2015 at 19:23, Andrew Foss <[email protected]> wrote:

>  Is this better?
>
> *** first device connects*****
>
> Apr 24 17:21:31 accel charon: 06[NET] received packet: from
> 166.170.42.208[36359] to 10.199.65.236[500]
> Apr 24 17:21:31 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:31 accel charon: 13[NET] received packet: from
> 166.170.42.208[36359] to 10.199.65.236[500] (668 bytes)
> Apr 24 17:21:31 accel charon: 13[CFG] looking for an ike config for
> 10.199.65.236...166.170.42.208
> Apr 24 17:21:31 accel charon: 13[CFG]   candidate: %any...%any, prio 28
> Apr 24 17:21:31 accel charon: 13[CFG] found matching ike config:
> %any...%any with prio 28
> Apr 24 17:21:31 accel charon: 13[IKE] received NAT-T (RFC 3947) vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike
> vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received
> draft-ietf-ipsec-nat-t-ike-08 vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received
> draft-ietf-ipsec-nat-t-ike-07 vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received
> draft-ietf-ipsec-nat-t-ike-06 vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received
> draft-ietf-ipsec-nat-t-ike-05 vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received
> draft-ietf-ipsec-nat-t-ike-04 vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received
> draft-ietf-ipsec-nat-t-ike-03 vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received
> draft-ietf-ipsec-nat-t-ike-02 vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received
> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received XAuth vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received Cisco Unity vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received FRAGMENTATION vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] received DPD vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] 166.170.42.208 is initiating a Main
> Mode IKE_SA
> Apr 24 17:21:31 accel charon: 13[IKE] IKE_SA (unnamed)[3] state change:
> CREATED => CONNECTING
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   no acceptable DIFFIE_HELLMAN_GROUP
> found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   no acceptable
> PSEUDO_RANDOM_FUNCTION found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   no acceptable DIFFIE_HELLMAN_GROUP
> found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   no acceptable
> PSEUDO_RANDOM_FUNCTION found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:31 accel charon: 13[CFG] selecting proposal:
> Apr 24 17:21:31 accel charon: 13[CFG]   proposal matches
> Apr 24 17:21:31 accel charon: 13[CFG] received proposals:
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
> IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
> Apr 24 17:21:31 accel charon: 13[CFG] configured proposals:
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
> Apr 24 17:21:31 accel charon: 13[CFG] selected proposal:
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> Apr 24 17:21:31 accel charon: 13[IKE] sending XAuth vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] sending DPD vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] sending FRAGMENTATION vendor ID
> Apr 24 17:21:31 accel charon: 13[IKE] sending NAT-T (RFC 3947) vendor ID
> Apr 24 17:21:31 accel charon: 13[NET] sending packet: from
> 10.199.65.236[500] to 166.170.42.208[36359] (160 bytes)
> Apr 24 17:21:31 accel charon: 07[NET] sending packet: from
> 10.199.65.236[500] to 166.170.42.208[36359]
> Apr 24 17:21:31 accel charon: 06[NET] received packet: from
> 166.170.42.208[36359] to 10.199.65.236[500]
> Apr 24 17:21:31 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:31 accel charon: 14[NET] received packet: from
> 166.170.42.208[36359] to 10.199.65.236[500] (292 bytes)
> Apr 24 17:21:31 accel charon: 14[LIB] size of DH secret exponent: 1535 bits
> Apr 24 17:21:31 accel charon: 14[IKE] local host is behind NAT, sending
> keep alives
> Apr 24 17:21:31 accel charon: 14[IKE] remote host is behind NAT
> Apr 24 17:21:31 accel charon: 14[IKE] sending cert request for "C=US,
> ST=California, L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile, CN=
> ipsec.corp.actmobile.com, [email protected]"
> Apr 24 17:21:31  charon: last message repeated 2 times
> Apr 24 17:21:31 accel charon: 14[NET] sending packet: from
> 10.199.65.236[500] to 166.170.42.208[36359] (548 bytes)
> Apr 24 17:21:31 accel charon: 14[NET] sending packet: from
> 10.199.65.236[500] to 166.170.42.208[36359] (399 bytes)
> Apr 24 17:21:31 accel charon: 07[NET] sending packet: from
> 10.199.65.236[500] to 166.170.42.208[36359]
> Apr 24 17:21:31 accel charon: 07[NET] sending packet: from
> 10.199.65.236[500] to 166.170.42.208[36359]
> Apr 24 17:21:31 accel charon: 06[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500]
> Apr 24 17:21:31 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:31 accel charon: 06[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500]
> Apr 24 17:21:31 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:31 accel charon: 15[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500] (1280 bytes)
> Apr 24 17:21:31 accel charon: 15[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500] (164 bytes)
> Apr 24 17:21:31 accel charon: 15[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500] (1372 bytes)
> Apr 24 17:21:31 accel charon: 15[IKE] ignoring certificate request without
> data
> Apr 24 17:21:31 accel charon: 15[IKE] received end entity cert "C=US,
> O=strongSwan, CN=IDE-B1DA-3355-4C89-BA98-A580BD513292"
> Apr 24 17:21:31 accel charon: 15[CFG] looking for XAuthInitRSA peer
> configs matching 10.199.65.236...166.170.42.208[C=US, O=strongSwan,
> CN=IDE-B1DA-3355-4C89-BA98-A580BD513292]
> Apr 24 17:21:31 accel charon: 15[CFG]   candidate "ios", match: 1/1/28
> (me/other/ike)
> Apr 24 17:21:31 accel charon: 15[CFG] selected peer config "ios"
> Apr 24 17:21:31 accel charon: 15[CFG]   using certificate "C=US,
> O=strongSwan, CN=IDE-B1DA-3355-4C89-BA98-A580BD513292"
> Apr 24 17:21:31 accel charon: 15[CFG]   certificate "C=US, O=strongSwan,
> CN=IDE-B1DA-3355-4C89-BA98-A580BD513292" key: 2048 bit RSA
> Apr 24 17:21:31 accel charon: 15[CFG]   using trusted ca certificate
> "C=US, ST=California, L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile,
> CN=ipsec.corp.actmobile.com, [email protected]"
> Apr 24 17:21:31 accel charon: 15[CFG] checking certificate status of
> "C=US, O=strongSwan, CN=IDE-B1DA-3355-4C89-BA98-A580BD513292"
> Apr 24 17:21:31 accel charon: 15[CFG] ocsp check skipped, no ocsp found
> Apr 24 17:21:31 accel charon: 15[CFG] certificate status is not available
> Apr 24 17:21:31 accel charon: 15[CFG]   certificate "C=US, ST=California,
> L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile, CN=
> ipsec.corp.actmobile.com, [email protected]" key: 2048 bit RSA
> Apr 24 17:21:31 accel charon: 15[CFG]   reached self-signed root ca with a
> path length of 0
> Apr 24 17:21:31 accel charon: 15[IKE] authentication of 'C=US,
> O=strongSwan, CN=IDE-B1DA-3355-4C89-BA98-A580BD513292' with RSA successful
> Apr 24 17:21:31 accel charon: 15[IKE] authentication of 'C=US,
> ST=California, L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile, CN=
> ipsec.corp.actmobile.com, [email protected]' (myself) successful
> Apr 24 17:21:31 accel charon: 15[IKE] queueing XAUTH task
> Apr 24 17:21:31 accel charon: 15[IKE] sending end entity cert "C=US,
> ST=California, L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile, CN=
> ipsec.corp.actmobile.com, [email protected]"
> Apr 24 17:21:31 accel charon: 15[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139] (544 bytes)
> Apr 24 17:21:31 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139]
> Apr 24 17:21:31 accel charon: 15[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139] (544 bytes)
> Apr 24 17:21:31 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139]
> Apr 24 17:21:31 accel charon: 15[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139] (544 bytes)
> Apr 24 17:21:31 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139]
> Apr 24 17:21:31 accel charon: 15[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139] (92 bytes)
> Apr 24 17:21:31 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139]
> Apr 24 17:21:31 accel charon: 15[IKE] activating new tasks
> Apr 24 17:21:31 accel charon: 15[IKE]   activating XAUTH task
> Apr 24 17:21:31 accel charon: 15[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139] (76 bytes)
> Apr 24 17:21:31 accel rsyslogd-2177: imuxsock begins to drop messages from
> pid 14031 due to rate-limiting
> Apr 24 17:21:32 accel rsyslogd-2177: imuxsock lost 12 messages from pid
> 14031 due to rate-limiting
> Apr 24 17:21:32 accel charon: 06[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500]
> Apr 24 17:21:32 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:32 accel charon: 06[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500]
> Apr 24 17:21:32 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:32 accel charon: 03[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500] (76 bytes)
> Apr 24 17:21:32 accel charon: 03[IKE] IKE_SA ios[3] established between
> 10.199.65.236[C=US, ST=California, L=New York, O=Internet Widgits Pty Ltd,
> OU=ActMobile, CN=ipsec.corp.actmobile.com, 
> [email protected]]...166.170.42.208[C=US,
> O=strongSwan, CN=IDE-B1DA-3355-4C89-BA98-A580BD513292]
> Apr 24 17:21:32 accel charon: 03[IKE] IKE_SA ios[3] state change:
> CONNECTING => ESTABLISHED
> Apr 24 17:21:32 accel charon: 03[IKE] activating new tasks
> Apr 24 17:21:32 accel charon: 03[IKE] nothing to initiate
> Apr 24 17:21:32 accel charon: 08[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500] (172 bytes)
> Apr 24 17:21:32 accel charon: 08[IKE] processing INTERNAL_IP4_ADDRESS
> attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing INTERNAL_IP4_NETMASK
> attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing INTERNAL_IP4_DNS attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing INTERNAL_IP4_NBNS
> attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing INTERNAL_ADDRESS_EXPIRY
> attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing APPLICATION_VERSION
> attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing UNITY_BANNER attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing UNITY_DEF_DOMAIN attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing UNITY_SPLITDNS_NAME
> attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing UNITY_SPLIT_INCLUDE
> attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing UNITY_LOCAL_LAN attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing UNITY_PFS attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing UNITY_SAVE_PASSWD
> attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing UNITY_FW_TYPE attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing UNITY_BACKUP_SERVERS
> attribute
> Apr 24 17:21:32 accel charon: 08[IKE] processing (28683) attribute
> Apr 24 17:21:32 accel charon: 08[IKE] peer requested virtual IP %any
> Apr 24 17:21:32 accel charon: 08[CFG] reassigning offline lease to
> 'actmobile'
> Apr 24 17:21:32 accel charon: 08[IKE] assigning virtual IP 10.254.0.1 to
> peer 'actmobile'
> Apr 24 17:21:32 accel charon: 08[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139] (92 bytes)
> Apr 24 17:21:32 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139]
> Apr 24 17:21:32 accel charon: 06[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500]
> Apr 24 17:21:32 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:32 accel charon: 10[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500] (300 bytes)
> Apr 24 17:21:32 accel charon: 10[CFG] looking for a child config for
> 0.0.0.0/0 === 10.254.0.1/32
> Apr 24 17:21:32 accel charon: 10[CFG] proposing traffic selectors for us:
> Apr 24 17:21:32 accel charon: 10[CFG]  0.0.0.0/0
> Apr 24 17:21:32 accel charon: 10[CFG] proposing traffic selectors for
> other:
> Apr 24 17:21:32 accel charon: 10[CFG]  10.254.0.1/32
> Apr 24 17:21:32 accel charon: 10[CFG]   candidate "ios" with prio 5+5
> Apr 24 17:21:32 accel charon: 10[CFG] found matching child config "ios"
> with prio 10
> Apr 24 17:21:32 accel charon: 10[CFG] selecting traffic selectors for
> other:
> Apr 24 17:21:32 accel charon: 10[CFG]  config: 10.254.0.1/32, received:
> 10.254.0.1/32 => match: 10.254.0.1/32
> Apr 24 17:21:32 accel charon: 10[CFG] selecting traffic selectors for us:
> Apr 24 17:21:32 accel charon: 10[CFG]  config: 0.0.0.0/0, received:
> 0.0.0.0/0 => match: 0.0.0.0/0
> Apr 24 17:21:32 accel charon: 10[IKE] expected IPComp proposal but peer
> did not send one, IPComp disabled
> Apr 24 17:21:32 accel charon: 10[CFG] selecting proposal:
> Apr 24 17:21:32 accel charon: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:32 accel charon: 10[CFG] selecting proposal:
> Apr 24 17:21:32 accel charon: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:32 accel charon: 10[CFG] selecting proposal:
> Apr 24 17:21:32 accel charon: 10[CFG]   proposal matches
> Apr 24 17:21:32 accel charon: 10[CFG] received proposals:
> ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ,
> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ,
> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
> Apr 24 17:21:32 accel charon: 10[CFG] configured proposals:
> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> Apr 24 17:21:32 accel charon: 10[CFG] selected proposal:
> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
> Apr 24 17:21:32 accel charon: 10[IKE] received 3600s lifetime, configured
> 0s
> Apr 24 17:21:32 accel charon: 10[KNL] got SPI cdc2e52a
> Apr 24 17:21:32 accel charon: 10[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139] (172 bytes)
> Apr 24 17:21:32 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 166.170.42.208[64139]
> Apr 24 17:21:32 accel charon: 06[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500]
> Apr 24 17:21:32 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:32 accel charon: 11[NET] received packet: from
> 166.170.42.208[64139] to 10.199.65.236[4500] (60 bytes)
> Apr 24 17:21:32 accel charon: 11[CHD]   using AES_CBC for encryption
> Apr 24 17:21:32 accel charon: 11[CHD]   using HMAC_SHA1_96 for integrity
> Apr 24 17:21:32 accel charon: 11[CHD] adding inbound ESP SA
> Apr 24 17:21:32 accel charon: 11[CHD]   SPI 0xcdc2e52a, src 166.170.42.208
> dst 10.199.65.236
> Apr 24 17:21:32 accel charon: 11[KNL] adding SAD entry with SPI cdc2e52a
> and reqid {2}  (mark 0/0x00000000)
> Apr 24 17:21:32 accel charon: 11[KNL]   using encryption algorithm AES_CBC
> with key size 128
> Apr 24 17:21:32 accel charon: 11[KNL]   using integrity algorithm
> HMAC_SHA1_96 with key size 160
> Apr 24 17:21:32 accel charon: 11[KNL]   using replay window of 32 packets
> Apr 24 17:21:32 accel charon: 11[CHD] adding outbound ESP SA
> Apr 24 17:21:32 accel charon: 11[CHD]   SPI 0x0d6bbaab, src 10.199.65.236
> dst 166.170.42.208
> Apr 24 17:21:32 accel charon: 11[KNL] adding SAD entry with SPI 0d6bbaab
> and reqid {2}  (mark 0/0x00000000)
> Apr 24 17:21:32 accel charon: 11[KNL]   using encryption algorithm AES_CBC
> with key size 128
> Apr 24 17:21:32 accel charon: 11[KNL]   using integrity algorithm
> HMAC_SHA1_96 with key size 160
> Apr 24 17:21:32 accel charon: 11[KNL]   using replay window of 32 packets
> Apr 24 17:21:32 accel charon: 11[KNL] adding policy 0.0.0.0/0 ===
> 10.254.0.1/32 out  (mark 0/0x00000000)
> Apr 24 17:21:32 accel charon: 11[KNL] adding policy 10.254.0.1/32 ===
> 0.0.0.0/0 in  (mark 0/0x00000000)
> Apr 24 17:21:32 accel charon: 11[KNL] adding policy 10.254.0.1/32 ===
> 0.0.0.0/0 fwd  (mark 0/0x00000000)
> Apr 24 17:21:32 accel charon: 11[KNL] getting a local address in traffic
> selector 0.0.0.0/0
> Apr 24 17:21:32 accel charon: 11[KNL] using host %any
> Apr 24 17:21:32 accel charon: 11[KNL] using 10.199.65.193 as nexthop to
> reach 166.170.42.208/32
> Apr 24 17:21:32 accel charon: 11[KNL] 10.199.65.236 is on interface eth0
> Apr 24 17:21:32 accel charon: 11[KNL] installing route: 10.254.0.1/32 via
> 10.199.65.193 src %any dev eth0
> Apr 24 17:21:32 accel charon: 11[KNL] getting iface index for eth0
> Apr 24 17:21:32 accel charon: 11[KNL] policy 0.0.0.0/0 === 10.254.0.1/32
> out  (mark 0/0x00000000) already exists, increasing refcount
> Apr 24 17:21:32 accel charon: 11[KNL] updating policy 0.0.0.0/0 ===
> 10.254.0.1/32 out  (mark 0/0x00000000)
> Apr 24 17:21:32 accel charon: 11[KNL] policy 10.254.0.1/32 === 0.0.0.0/0
> in  (mark 0/0x00000000) already exists, increasing refcount
> Apr 24 17:21:32 accel charon: 11[KNL] updating policy 10.254.0.1/32 ===
> 0.0.0.0/0 in  (mark 0/0x00000000)
> Apr 24 17:21:32 accel charon: 11[KNL] policy 10.254.0.1/32 === 0.0.0.0/0
> fwd  (mark 0/0x00000000) already exists, increasing refcount
> Apr 24 17:21:32 accel charon: 11[KNL] updating policy 10.254.0.1/32 ===
> 0.0.0.0/0 fwd  (mark 0/0x00000000)
> Apr 24 17:21:32 accel charon: 11[KNL] getting a local address in traffic
> selector 0.0.0.0/0
> Apr 24 17:21:32 accel charon: 11[KNL] using host %any
> Apr 24 17:21:32 accel charon: 11[KNL] using 10.199.65.193 as nexthop to
> reach 166.170.42.208/32
> Apr 24 17:21:32 accel charon: 11[KNL] 10.199.65.236 is on interface eth0
> Apr 24 17:21:32 accel charon: 11[IKE] CHILD_SA ios{2} established with
> SPIs cdc2e52a_i 0d6bbaab_o and TS 0.0.0.0/0 === 10.254.0.1/32
> Apr 24 17:21:32 accel charon: 11[KNL] 10.199.65.236 is on interface eth0
> Apr 24 17:21:32 accel charon: 11[KNL] querying SAD entry with SPI
> cdc2e52a  (mark 0/0x00000000)
> Apr 24 17:21:32 accel charon: 11[KNL] querying SAD entry with SPI
> 0d6bbaab  (mark 0/0x00000000)
>
>
>
>
>
>
> ***** second device connects *******
>
> Apr 24 17:21:42 accel charon: 06[NET] received packet: from
> 50.197.174.157[500] to 10.199.65.236[500]
> Apr 24 17:21:42 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:42 accel charon: 15[NET] received packet: from
> 50.197.174.157[500] to 10.199.65.236[500] (668 bytes)
> Apr 24 17:21:42 accel charon: 15[CFG] looking for an ike config for
> 10.199.65.236...50.197.174.157
> Apr 24 17:21:42 accel charon: 15[CFG]   candidate: %any...%any, prio 28
> Apr 24 17:21:42 accel charon: 15[CFG] found matching ike config:
> %any...%any with prio 28
> Apr 24 17:21:42 accel charon: 15[IKE] received NAT-T (RFC 3947) vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received draft-ietf-ipsec-nat-t-ike
> vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received
> draft-ietf-ipsec-nat-t-ike-08 vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received
> draft-ietf-ipsec-nat-t-ike-07 vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received
> draft-ietf-ipsec-nat-t-ike-06 vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received
> draft-ietf-ipsec-nat-t-ike-05 vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received
> draft-ietf-ipsec-nat-t-ike-04 vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received
> draft-ietf-ipsec-nat-t-ike-03 vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received
> draft-ietf-ipsec-nat-t-ike-02 vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received
> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received XAuth vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received Cisco Unity vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received FRAGMENTATION vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] received DPD vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] 50.197.174.157 is initiating a Main
> Mode IKE_SA
> Apr 24 17:21:42 accel charon: 15[IKE] IKE_SA (unnamed)[4] state change:
> CREATED => CONNECTING
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   no acceptable DIFFIE_HELLMAN_GROUP
> found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   no acceptable
> PSEUDO_RANDOM_FUNCTION found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   no acceptable DIFFIE_HELLMAN_GROUP
> found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   no acceptable
> PSEUDO_RANDOM_FUNCTION found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   no acceptable ENCRYPTION_ALGORITHM
> found
> Apr 24 17:21:42 accel charon: 15[CFG] selecting proposal:
> Apr 24 17:21:42 accel charon: 15[CFG]   proposal matches
> Apr 24 17:21:42 accel charon: 15[CFG] received proposals:
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
> IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
> IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
> Apr 24 17:21:42 accel charon: 15[CFG] configured proposals:
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
> Apr 24 17:21:42 accel charon: 15[CFG] selected proposal:
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> Apr 24 17:21:42 accel charon: 15[IKE] sending XAuth vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] sending DPD vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] sending FRAGMENTATION vendor ID
> Apr 24 17:21:42 accel charon: 15[IKE] sending NAT-T (RFC 3947) vendor ID
> Apr 24 17:21:42 accel charon: 15[NET] sending packet: from
> 10.199.65.236[500] to 50.197.174.157[500] (160 bytes)
> Apr 24 17:21:42 accel charon: 07[NET] sending packet: from
> 10.199.65.236[500] to 50.197.174.157[500]
> Apr 24 17:21:43 accel charon: 06[NET] received packet: from
> 50.197.174.157[500] to 10.199.65.236[500]
> Apr 24 17:21:43 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:43 accel charon: 09[NET] received packet: from
> 50.197.174.157[500] to 10.199.65.236[500] (292 bytes)
> Apr 24 17:21:43 accel charon: 09[LIB] size of DH secret exponent: 1532 bits
> Apr 24 17:21:43 accel charon: 09[IKE] local host is behind NAT, sending
> keep alives
> Apr 24 17:21:43 accel charon: 09[IKE] remote host is behind NAT
> Apr 24 17:21:43 accel charon: 09[IKE] sending cert request for "C=US,
> ST=California, L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile, CN=
> ipsec.corp.actmobile.com, [email protected]"
> Apr 24 17:21:43  charon: last message repeated 2 times
> Apr 24 17:21:43 accel charon: 09[NET] sending packet: from
> 10.199.65.236[500] to 50.197.174.157[500] (548 bytes)
> Apr 24 17:21:43 accel charon: 07[NET] sending packet: from
> 10.199.65.236[500] to 50.197.174.157[500]
> Apr 24 17:21:43 accel charon: 09[NET] sending packet: from
> 10.199.65.236[500] to 50.197.174.157[500] (399 bytes)
> Apr 24 17:21:43 accel charon: 07[NET] sending packet: from
> 10.199.65.236[500] to 50.197.174.157[500]
> Apr 24 17:21:43 accel charon: 06[NET] received packet: from
> 50.197.174.157[4500] to 10.199.65.236[4500]
> Apr 24 17:21:43 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:43 accel charon: 03[NET] received packet: from
> 50.197.174.157[4500] to 10.199.65.236[4500] (1280 bytes)
> Apr 24 17:21:43 accel charon: 06[NET] received packet: from
> 50.197.174.157[4500] to 10.199.65.236[4500]
> Apr 24 17:21:43 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:43 accel charon: 16[NET] received packet: from
> 50.197.174.157[4500] to 10.199.65.236[4500] (164 bytes)
> Apr 24 17:21:43 accel charon: 16[NET] received packet: from
> 50.197.174.157[4500] to 10.199.65.236[4500] (1372 bytes)
> Apr 24 17:21:43 accel charon: 16[IKE] ignoring certificate request without
> data
> Apr 24 17:21:43 accel charon: 16[IKE] received end entity cert "C=US,
> O=strongSwan, CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307"
> Apr 24 17:21:43 accel charon: 16[CFG] looking for XAuthInitRSA peer
> configs matching 10.199.65.236...50.197.174.157[C=US, O=strongSwan,
> CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307]
> Apr 24 17:21:43 accel charon: 16[CFG]   candidate "ios", match: 1/1/28
> (me/other/ike)
> Apr 24 17:21:43 accel charon: 16[CFG] selected peer config "ios"
> Apr 24 17:21:43 accel charon: 16[CFG]   using certificate "C=US,
> O=strongSwan, CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307"
> Apr 24 17:21:43 accel charon: 16[CFG]   certificate "C=US, O=strongSwan,
> CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307" key: 2048 bit RSA
> Apr 24 17:21:43 accel charon: 16[LIB] signature verification:
> Apr 24 17:21:43 accel charon: 16[CFG]   using trusted ca certificate
> "C=US, ST=California, L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile,
> CN=ipsec.corp.actmobile.com, [email protected]"
> Apr 24 17:21:43 accel charon: 16[CFG] checking certificate status of
> "C=US, O=strongSwan, CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307"
> Apr 24 17:21:43 accel charon: 16[CFG] ocsp check skipped, no ocsp found
> Apr 24 17:21:43 accel charon: 16[CFG] certificate status is not available
> Apr 24 17:21:43 accel charon: 16[CFG]   certificate "C=US, ST=California,
> L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile, CN=
> ipsec.corp.actmobile.com, [email protected]" key: 2048 bit RSA
> Apr 24 17:21:43 accel charon: 16[CFG]   reached self-signed root ca with a
> path length of 0
> Apr 24 17:21:43 accel charon: 16[IKE] authentication of 'C=US,
> O=strongSwan, CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307' with RSA successful
> Apr 24 17:21:43 accel charon: 16[IKE] authentication of 'C=US,
> ST=California, L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile, CN=
> ipsec.corp.actmobile.com, [email protected]' (myself) successful
> Apr 24 17:21:43 accel charon: 16[IKE] queueing XAUTH task
> Apr 24 17:21:43 accel charon: 16[IKE] sending end entity cert "C=US,
> ST=California, L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile, CN=
> ipsec.corp.actmobile.com, [email protected]"
> Apr 24 17:21:43 accel charon: 16[NET] sending packet: from
> 10.199.65.236[4500] to 50.197.174.157[4500] (544 bytes)
> Apr 24 17:21:43 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 50.197.174.157[4500]
> Apr 24 17:21:43 accel charon: 16[NET] sending packet: from
> 10.199.65.236[4500] to 50.197.174.157[4500] (544 bytes)
> Apr 24 17:21:43 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 50.197.174.157[4500]
> Apr 24 17:21:43 accel charon: 16[NET] sending packet: from
> 10.199.65.236[4500] to 50.197.174.157[4500] (544 bytes)
> Apr 24 17:21:43 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 50.197.174.157[4500]
> Apr 24 17:21:43 accel charon: 16[NET] sending packet: from
> 10.199.65.236[4500] to 50.197.174.157[4500] (92 bytes)
> Apr 24 17:21:43 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 50.197.174.157[4500]
> Apr 24 17:21:43 accel charon: 16[IKE] activating new tasks
> Apr 24 17:21:43 accel charon: 16[IKE]   activating XAUTH task
> Apr 24 17:21:43 accel charon: 16[NET] sending packet: from
> 10.199.65.236[4500] to 50.197.174.157[4500] (76 bytes)
> Apr 24 17:21:43 accel charon: 07[NET] sending packet: from
> 10.199.65.236[4500] to 50.197.174.157[4500]
> Apr 24 17:21:43 accel charon: 06[NET] received packet: from
> 50.197.174.157[4500] to 10.199.65.236[4500]
> Apr 24 17:21:43 accel charon: 06[NET] waiting for data on sockets
> Apr 24 17:21:43 accel charon: 10[NET] received packet: from
> 50.197.174.157[4500] to 10.199.65.236[4500] (92 bytes)
> Apr 24 17:21:43 accel charon: 10[IKE] XAuth authentication of 'actmobile'
> successful
> Apr 24 17:21:43 accel charon: 10[IKE] deleting duplicate IKE_SA for peer
> 'actmobile' due to uniqueness policy
> Apr 24 17:21:43 accel charon: 10[IKE] queueing QUICK_DELETE task
> Apr 24 17:21:43 accel charon: 10[IKE] queueing ISAKMP_DELETE task
> Apr 24 17:21:43 accel charon: 10[IKE] activating new tasks
> Apr 24 17:21:43 accel charon: 10[IKE]   activating QUICK_DELETE task
> Apr 24 17:21:43 accel charon: 10[KNL] querying SAD entry with SPI
> cdc2e52a  (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] querying SAD entry with SPI
> 0d6bbaab  (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[IKE] closing CHILD_SA ios{2} with SPIs
> cdc2e52a_i (1438 bytes) 0d6bbaab_o (4780 bytes) and TS 0.0.0.0/0 ===
> 10.254.0.1/32
> Apr 24 17:21:43 accel charon: 10[KNL] querying SAD entry with SPI
> cdc2e52a  (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] querying SAD entry with SPI
> 0d6bbaab  (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] deleting policy 0.0.0.0/0 ===
> 10.254.0.1/32 out  (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] policy still used by another
> CHILD_SA, not removed
> Apr 24 17:21:43 accel charon: 10[KNL] updating policy 0.0.0.0/0 ===
> 10.254.0.1/32 out  (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] deleting policy 10.254.0.1/32 ===
> 0.0.0.0/0 in  (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] policy still used by another
> CHILD_SA, not removed
> Apr 24 17:21:43 accel charon: 10[KNL] updating policy 10.254.0.1/32 ===
> 0.0.0.0/0 in  (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] deleting policy 10.254.0.1/32 ===
> 0.0.0.0/0 fwd  (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] policy still used by another
> CHILD_SA, not removed
> Apr 24 17:21:43 accel charon: 10[KNL] updating policy 10.254.0.1/32 ===
> 0.0.0.0/0 fwd  (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] getting a local address in traffic
> selector 0.0.0.0/0
> Apr 24 17:21:43 accel charon: 10[KNL] using host %any
> Apr 24 17:21:43 accel charon: 10[KNL] using 10.199.65.193 as nexthop to
> reach 166.170.42.208/32
> Apr 24 17:21:43 accel charon: 10[KNL] 10.199.65.236 is on interface eth0
> Apr 24 17:21:43 accel charon: 10[KNL] deleting policy 0.0.0.0/0 ===
> 10.254.0.1/32 out  (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] deleting policy 10.254.0.1/32 ===
> 0.0.0.0/0 in  (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] deleting policy 10.254.0.1/32 ===
> 0.0.0.0/0 fwd  (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] getting iface index for eth0
> Apr 24 17:21:43 accel charon: 10[KNL] deleting SAD entry with SPI
> cdc2e52a  (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] deleted SAD entry with SPI cdc2e52a
> (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] deleting SAD entry with SPI
> 0d6bbaab  (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[KNL] deleted SAD entry with SPI 0d6bbaab
> (mark 0/0x00000000)
> Apr 24 17:21:43 accel charon: 10[IKE] sending DELETE for ESP CHILD_SA with
> SPI cdc2e52a
> Apr 24 17:21:43 accel rsyslogd-2177: imuxsock begins to drop messages from
> pid 14031 due to rate-limiting
>
> On 4/24/15 10:04 AM, Miroslav Svoboda wrote:
>
> This log does not show the information I am looking for.
> Please move the old logfile away.
> Please set all loglevels to 2 except "enc". You can do it in file
> /etc/strongswan/strongswan.d/charon-logging
> Then start strongswan, connect both phones and send me the whole file.
>
>  Section filelog of the afore mentioned config file should look like
> below:
>
>     filelog {
>
>          # <filename> is the full path to the log file.
>          /var/log/strongswan.log {
>
>              # Loglevel for a specific subsystem.
>             # <subsystem> = <default>
>             enc = 1
>             job = 1
>             cfg = 2
>             ike = 2
>             mgr = 2
>             knl = 2
>             chd = 2
>
>              # If this option is enabled log entries are appended to the
> existing
>             # file.
>             append = yes
>
>              # Default loglevel.
>             default = 1
>
>              # Enabling this option disables block buffering and enables
> line
>             # buffering.
>             flush_line = yes
>
>              # Prefix each log entry with the connection name and a unique
>             # numerical identifier for each IKE_SA.
>             ike_name = yes
>
>              # Prefix each log entry with a timestamp. The option accepts
> a
>             # format string as passed to strftime(3).
>             time_format = %F %T
>
>           }
>     }
>
>   Miroslav Svoboda | +420 608 224 486
>
>

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Fwd: [strongSwan-dev] config w/ multiple ios devices on a network...

Reply via email to