Hi Marco, > After nearly 2 months it happened again: > > ts-20.96.144.0{126302}: INSTALLED, TUNNEL, reqid 244, ESP SPIs: cd63dff4_i > 5215984b_o > ts-20.96.144.0{126302}: AES_CBC_256/HMAC_SHA2_256_128/ECP_384, 2988620 > bytes_i (6591 pkts, 314s ago), 2048852 bytes_o, rekeying in 5 hours > ts-20.96.144.0{126302}: 10.28.155.0/24 === 20.96.144.0/23 > ts-20.96.216.0{126305}: INSTALLED, TUNNEL, reqid 246, ESP SPIs: c5504cbc_i > 5d35c82a_o > ts-20.96.216.0{126305}: AES_CBC_256/HMAC_SHA2_256_128/ECP_384, 169442 > bytes_i, 40867 bytes_o (169 pkts, 301s ago), rekeying in 6 hours > ts-20.96.216.0{126305}: 10.28.155.0/24 === 20.96.216.0/21 > ts-20.96.226.0{126325}: INSTALLED, TUNNEL, reqid 247, ESP SPIs: c28f61dc_i > e0a84ea4_o > ts-20.96.226.0{126325}: AES_CBC_256/HMAC_SHA2_256_128/ECP_384, 58816 > bytes_i, 61681 bytes_o (243 pkts, 261s ago), rekeying in 6 hours > ts-20.96.226.0{126325}: 10.28.155.0/24 === 20.96.226.0/24 > > Now, charon is logging to /var/log/charon.log (setup copied > and pasted from [1]. > > What should I grep? :-) > > I have also the output from 'ip -s x p' and 'ip -s x s'
Look for details on these policies and SAs (using the SPIs and selectors/reqids when searching). In the log also check the messages around any with these information (those logged by the same thread). Regards, Tobias