[Swan] Stronswan / Libreswan - Tunnel disconnects and becomes prospective erouted
Madden, Joe
Joe.Madden at mottmac.com
Tue Oct 11 08:17:45 UTC 2016
Hi List,
To further the issue below I've adjusted the key lengths as suggested and got the third party to do the same. We had a repeat of the connection issue that I describe in the email below.
The connection from our view appears to be operational. An ipsec status provided me with:
http://pastebin.com/YzZHJ82r
This suggests that our VPN tunnels are up however the strongswan 5.1.3 instance we connect to only has one tunnel operational and it suggests the others are down.
The open of the stronswan restarted his instance to find that the same tunnel came up but from our point of view it looks as if the that instance only sent one proposal. Please see Oct 10 14:48:49 in the log below.
http://pastebin.com/pFQ42tG9
I'm at a loss of what to try we know our instance is stable with another VPN using similar configuration it only appears to be this strongswan system which is problematic.
If anyone has any suggestions I would be grateful!
Thanks
Joe
-----Original Message-----
From: Paul Wouters [mailto:paul at nohats.ca]
Sent: 20 September 2016 17:18
To: Madden, Joe <Joe.Madden at mottmac.com>
Cc: swan at lists.libreswan.org
Subject: Re: [Swan] Stronswan / Libreswan - Tunnel disconnects and becomes prospective erouted
On Tue, 20 Sep 2016, Madden, Joe wrote:
> Just trying to resolve an issue we have with VPN’s disconnecting from a Stronswan client.
>
> When I restart my end of the VPN the VPNs establish and operate fine.
> After a random amount of time with no apparent user action the some of the VPN tunnels will become “prospective erouted”
you didnt provide any logs, so we have no idea of what is actually happening. Are they hanging up? Are you hanging up? Are they trying to rekey to you? The only thing we know is that this is ikev1, so it does not relate to rekeying without authentication.
> keylife= 60m
> ikelifetime= 480m
You could try and change these timings. An 1h IPsec SA lifetime is pretty short - usually these are kept at 8h or 24h. It does not matter too much other than that you can tweak these to determine who gets to initiate the rekeying (whoever has the shortest keylife)
But check your logs to see what is going on when the failure is happening.
Paul
From: Swan [mailto:swan-bounces at lists.libreswan.org] On Behalf Of Madden, Joe
Sent: 20 September 2016 16:54
To: swan at lists.libreswan.org
Subject: [Swan] Stronswan / Libreswan - Tunnel disconnects and becomes prospective erouted
Hi List,
Just trying to resolve an issue we have with VPN’s disconnecting from a Stronswan client.
When I restart my end of the VPN the VPNs establish and operate fine. After a random amount of time with no apparent user action the some of the VPN tunnels will become “prospective erouted”
Our configuration is:
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
#plutodebug="all"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16
#plutodebug=control
oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=0
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf
conn ssl-iptrafficsig-1
authby= secret
auto= start
type= tunnel
nat_traversal= yes
forceencaps= no
rekeymargin= 3m
keyingtries= %forever
keylife= 60m
ikelifetime= 480m
ikev2= no
#RTT
left= 10.59.31.49
leftsubnets= {10.2.170.0/26,10.1.178.0/26,10.1.160.64/27,10.1.162.64/27,10.1.176.0/25,10.1.170.0/25,10.2.166.0/26,10.2.74.64/29,10.2.166.0/26,10.2.130.64/28,10.2.168.10/32,10.2.168.11/32,10.1.172.10/32,10.1.172.11/32}
leftid= 193.195.162.135
leftnexthop= 10.59.31.54
leftsourceip= 10.59.31.49
#SAA
right= 52.48.93.253
rightid= 52.48.93.253
rightsubnet= 10.199.0.0/28
ike= aes256-sha2_256;modp2048
phase2= esp
phase2alg= aes256-sha2_256;modp2048
pfs= yes
sha2_truncbug= no
#Dead Peer Detection
dpdaction= restart
Ipsec status shows:
000 "ssl-iptrafficsig-1/10x0": 10.2.130.64/28===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28; erouted; eroute owner: #5
000 "ssl-iptrafficsig-1/10x0": oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/10x0": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/10x0": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/10x0": labeled_ipsec:no;
000 "ssl-iptrafficsig-1/10x0": policy_label:unset;
000 "ssl-iptrafficsig-1/10x0": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/10x0": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "ssl-iptrafficsig-1/10x0": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/10x0": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/10x0": conn_prio: 28,28; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/10x0": newest ISAKMP SA: #0; newest IPsec SA: #5;
000 "ssl-iptrafficsig-1/10x0": aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/10x0": IKE algorithms wanted: AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/10x0": IKE algorithms found: AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/10x0": ESP algorithms wanted: AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/10x0": ESP algorithms loaded: AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/10x0": ESP algorithm newest: AES_256-HMAC_SHA2_256; pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/11x0": 10.2.168.10/32===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28; erouted; eroute owner: #6
000 "ssl-iptrafficsig-1/11x0": oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/11x0": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/11x0": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/11x0": labeled_ipsec:no;
000 "ssl-iptrafficsig-1/11x0": policy_label:unset;
000 "ssl-iptrafficsig-1/11x0": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/11x0": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "ssl-iptrafficsig-1/11x0": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/11x0": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/11x0": conn_prio: 32,28; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/11x0": newest ISAKMP SA: #0; newest IPsec SA: #6;
000 "ssl-iptrafficsig-1/11x0": aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/11x0": IKE algorithms wanted: AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/11x0": IKE algorithms found: AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/11x0": ESP algorithms wanted: AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/11x0": ESP algorithms loaded: AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/11x0": ESP algorithm newest: AES_256-HMAC_SHA2_256; pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/12x0": 10.2.168.11/32===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28; erouted; eroute owner: #7
000 "ssl-iptrafficsig-1/12x0": oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/12x0": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/12x0": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/12x0": labeled_ipsec:no;
000 "ssl-iptrafficsig-1/12x0": policy_label:unset;
000 "ssl-iptrafficsig-1/12x0": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/12x0": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "ssl-iptrafficsig-1/12x0": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/12x0": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/12x0": conn_prio: 32,28; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/12x0": newest ISAKMP SA: #0; newest IPsec SA: #7;
000 "ssl-iptrafficsig-1/12x0": aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/12x0": IKE algorithms wanted: AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/12x0": IKE algorithms found: AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/12x0": ESP algorithms wanted: AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/12x0": ESP algorithms loaded: AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/12x0": ESP algorithm newest: AES_256-HMAC_SHA2_256; pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/13x0": 10.1.172.10/32===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28; erouted; eroute owner: #28
000 "ssl-iptrafficsig-1/13x0": oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/13x0": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/13x0": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/13x0": labeled_ipsec:no;
000 "ssl-iptrafficsig-1/13x0": policy_label:unset;
000 "ssl-iptrafficsig-1/13x0": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/13x0": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "ssl-iptrafficsig-1/13x0": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/13x0": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/13x0": conn_prio: 32,28; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/13x0": newest ISAKMP SA: #0; newest IPsec SA: #28;
000 "ssl-iptrafficsig-1/13x0": aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/13x0": IKE algorithms wanted: AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/13x0": IKE algorithms found: AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/13x0": ESP algorithms wanted: AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/13x0": ESP algorithms loaded: AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/13x0": ESP algorithm newest: AES_256-HMAC_SHA2_256; pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/14x0": 10.1.172.11/32===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28; erouted; eroute owner: #9
000 "ssl-iptrafficsig-1/14x0": oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/14x0": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/14x0": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/14x0": labeled_ipsec:no;
000 "ssl-iptrafficsig-1/14x0": policy_label:unset;
000 "ssl-iptrafficsig-1/14x0": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/14x0": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "ssl-iptrafficsig-1/14x0": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/14x0": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/14x0": conn_prio: 32,28; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/14x0": newest ISAKMP SA: #0; newest IPsec SA: #9;
000 "ssl-iptrafficsig-1/14x0": aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/14x0": IKE algorithms wanted: AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/14x0": IKE algorithms found: AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/14x0": ESP algorithms wanted: AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/14x0": ESP algorithms loaded: AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/14x0": ESP algorithm newest: AES_256-HMAC_SHA2_256; pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/1x0": 10.2.170.0/26===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28; erouted; eroute owner: #23
000 "ssl-iptrafficsig-1/1x0": oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/1x0": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/1x0": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/1x0": labeled_ipsec:no;
000 "ssl-iptrafficsig-1/1x0": policy_label:unset;
000 "ssl-iptrafficsig-1/1x0": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/1x0": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "ssl-iptrafficsig-1/1x0": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/1x0": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/1x0": conn_prio: 26,28; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/1x0": newest ISAKMP SA: #0; newest IPsec SA: #23;
000 "ssl-iptrafficsig-1/1x0": aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/1x0": IKE algorithms wanted: AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/1x0": IKE algorithms found: AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/1x0": ESP algorithms wanted: AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/1x0": ESP algorithms loaded: AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/1x0": ESP algorithm newest: AES_256-HMAC_SHA2_256; pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/2x0": 10.1.178.0/26===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28; erouted; eroute owner: #26
000 "ssl-iptrafficsig-1/2x0": oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/2x0": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/2x0": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/2x0": labeled_ipsec:no;
000 "ssl-iptrafficsig-1/2x0": policy_label:unset;
000 "ssl-iptrafficsig-1/2x0": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/2x0": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "ssl-iptrafficsig-1/2x0": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/2x0": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/2x0": conn_prio: 26,28; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/2x0": newest ISAKMP SA: #0; newest IPsec SA: #26;
000 "ssl-iptrafficsig-1/2x0": aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/2x0": IKE algorithms wanted: AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/2x0": IKE algorithms found: AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/2x0": ESP algorithms wanted: AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/2x0": ESP algorithms loaded: AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/2x0": ESP algorithm newest: AES_256-HMAC_SHA2_256; pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/3x0": 10.1.160.64/27===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28; erouted; eroute owner: #12
000 "ssl-iptrafficsig-1/3x0": oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/3x0": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/3x0": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/3x0": labeled_ipsec:no;
000 "ssl-iptrafficsig-1/3x0": policy_label:unset;
000 "ssl-iptrafficsig-1/3x0": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/3x0": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "ssl-iptrafficsig-1/3x0": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/3x0": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/3x0": conn_prio: 27,28; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/3x0": newest ISAKMP SA: #0; newest IPsec SA: #12;
000 "ssl-iptrafficsig-1/3x0": aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/3x0": IKE algorithms wanted: AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/3x0": IKE algorithms found: AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/3x0": ESP algorithms wanted: AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/3x0": ESP algorithms loaded: AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/3x0": ESP algorithm newest: AES_256-HMAC_SHA2_256; pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/4x0": 10.1.162.64/27===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28; erouted; eroute owner: #13
000 "ssl-iptrafficsig-1/4x0": oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/4x0": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/4x0": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/4x0": labeled_ipsec:no;
000 "ssl-iptrafficsig-1/4x0": policy_label:unset;
000 "ssl-iptrafficsig-1/4x0": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/4x0": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "ssl-iptrafficsig-1/4x0": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/4x0": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/4x0": conn_prio: 27,28; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/4x0": newest ISAKMP SA: #0; newest IPsec SA: #13;
000 "ssl-iptrafficsig-1/4x0": aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/4x0": IKE algorithms wanted: AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/4x0": IKE algorithms found: AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/4x0": ESP algorithms wanted: AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/4x0": ESP algorithms loaded: AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/4x0": ESP algorithm newest: AES_256-HMAC_SHA2_256; pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/5x0": 10.1.176.0/25===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28; erouted; eroute owner: #14
000 "ssl-iptrafficsig-1/5x0": oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/5x0": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/5x0": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/5x0": labeled_ipsec:no;
000 "ssl-iptrafficsig-1/5x0": policy_label:unset;
000 "ssl-iptrafficsig-1/5x0": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/5x0": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "ssl-iptrafficsig-1/5x0": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/5x0": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/5x0": conn_prio: 25,28; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/5x0": newest ISAKMP SA: #0; newest IPsec SA: #14;
000 "ssl-iptrafficsig-1/5x0": aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/5x0": IKE algorithms wanted: AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/5x0": IKE algorithms found: AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/5x0": ESP algorithms wanted: AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/5x0": ESP algorithms loaded: AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/5x0": ESP algorithm newest: AES_256-HMAC_SHA2_256; pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/6x0": 10.1.170.0/25===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28; erouted; eroute owner: #27
000 "ssl-iptrafficsig-1/6x0": oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/6x0": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/6x0": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/6x0": labeled_ipsec:no;
000 "ssl-iptrafficsig-1/6x0": policy_label:unset;
000 "ssl-iptrafficsig-1/6x0": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/6x0": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "ssl-iptrafficsig-1/6x0": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/6x0": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/6x0": conn_prio: 25,28; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/6x0": newest ISAKMP SA: #0; newest IPsec SA: #27;
000 "ssl-iptrafficsig-1/6x0": aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/6x0": IKE algorithms wanted: AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/6x0": IKE algorithms found: AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/6x0": ESP algorithms wanted: AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/6x0": ESP algorithms loaded: AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/6x0": ESP algorithm newest: AES_256-HMAC_SHA2_256; pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/7x0": 10.2.166.0/26===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28; erouted; eroute owner: #16
000 "ssl-iptrafficsig-1/7x0": oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/7x0": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/7x0": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/7x0": labeled_ipsec:no;
000 "ssl-iptrafficsig-1/7x0": policy_label:unset;
000 "ssl-iptrafficsig-1/7x0": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/7x0": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "ssl-iptrafficsig-1/7x0": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/7x0": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/7x0": conn_prio: 26,28; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/7x0": newest ISAKMP SA: #0; newest IPsec SA: #16;
000 "ssl-iptrafficsig-1/7x0": aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/7x0": IKE algorithms wanted: AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/7x0": IKE algorithms found: AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/7x0": ESP algorithms wanted: AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/7x0": ESP algorithms loaded: AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/7x0": ESP algorithm newest: AES_256-HMAC_SHA2_256; pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/8x0": 10.2.74.64/29===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28; erouted; eroute owner: #17
000 "ssl-iptrafficsig-1/8x0": oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/8x0": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/8x0": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/8x0": labeled_ipsec:no;
000 "ssl-iptrafficsig-1/8x0": policy_label:unset;
000 "ssl-iptrafficsig-1/8x0": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/8x0": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "ssl-iptrafficsig-1/8x0": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/8x0": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/8x0": conn_prio: 29,28; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/8x0": newest ISAKMP SA: #0; newest IPsec SA: #17;
000 "ssl-iptrafficsig-1/8x0": aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/8x0": IKE algorithms wanted: AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/8x0": IKE algorithms found: AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/8x0": ESP algorithms wanted: AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/8x0": ESP algorithms loaded: AES(12)_256-SHA2_256(5)_000
000 "ssl-iptrafficsig-1/8x0": ESP algorithm newest: AES_256-HMAC_SHA2_256; pfsgroup=MODP2048
000 "ssl-iptrafficsig-1/9x0": 10.2.166.0/26===10.59.31.49<10.59.31.49>[LOCAL_END_HOST]---10.59.31.54...REMOTE_END_HOST<REMOTE_END_HOST>===10.199.0.0/28; unrouted; eroute owner: #0
000 "ssl-iptrafficsig-1/9x0": oriented; my_ip=10.59.31.49; their_ip=unset
000 "ssl-iptrafficsig-1/9x0": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 "ssl-iptrafficsig-1/9x0": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "ssl-iptrafficsig-1/9x0": labeled_ipsec:no;
000 "ssl-iptrafficsig-1/9x0": policy_label:unset;
000 "ssl-iptrafficsig-1/9x0": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ssl-iptrafficsig-1/9x0": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "ssl-iptrafficsig-1/9x0": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "ssl-iptrafficsig-1/9x0": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "ssl-iptrafficsig-1/9x0": conn_prio: 26,28; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "ssl-iptrafficsig-1/9x0": newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "ssl-iptrafficsig-1/9x0": aliases: ssl-iptrafficsig-1
000 "ssl-iptrafficsig-1/9x0": IKE algorithms wanted: AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "ssl-iptrafficsig-1/9x0": IKE algorithms found: AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "ssl-iptrafficsig-1/9x0": IKE algorithm newest: AES_CBC_256-SHA2_256-MODP2048
000 "ssl-iptrafficsig-1/9x0": ESP algorithms wanted: AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "ssl-iptrafficsig-1/9x0": ESP algorithms loaded: AES(12)_256-SHA2_256(5)_000
000 Total IPsec connections: loaded 18, active 15
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(3), half-open(0), open(0), authenticated(3), anonymous(0)
000 IPsec SAs: total(20), authenticated(20), anonymous(0)
000
000 #5: "ssl-iptrafficsig-1/10x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2458s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #5: "ssl-iptrafficsig-1/10x0" esp.c12547a1 at REMOTE_END_HOST esp.fba10b48 at 10.59.31.49 tun.0 at REMOTE_END_HOST tun.0 at 10.59.31.49 ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
000 #6: "ssl-iptrafficsig-1/11x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2354s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #6: "ssl-iptrafficsig-1/11x0" esp.cc9e62a8 at REMOTE_END_HOST esp.858910c8 at 10.59.31.49 tun.0 at REMOTE_END_HOST tun.0 at 10.59.31.49 ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
000 #7: "ssl-iptrafficsig-1/12x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2419s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #7: "ssl-iptrafficsig-1/12x0" esp.c5799a78 at REMOTE_END_HOST esp.5705a8e8 at 10.59.31.49 tun.0 at REMOTE_END_HOST tun.0 at 10.59.31.49 ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
000 #28: "ssl-iptrafficsig-1/13x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2552s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #28: "ssl-iptrafficsig-1/13x0" esp.c6f6d061 at REMOTE_END_HOST esp.9672692a at 10.59.31.49 tun.0 at REMOTE_END_HOST tun.0 at 10.59.31.49 ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
000 #9: "ssl-iptrafficsig-1/14x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2406s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #9: "ssl-iptrafficsig-1/14x0" esp.c4c54e51 at REMOTE_END_HOST esp.b1174378 at 10.59.31.49 tun.0 at REMOTE_END_HOST tun.0 at 10.59.31.49 ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
000 #23: "ssl-iptrafficsig-1/1x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2518s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #23: "ssl-iptrafficsig-1/1x0" esp.c98a55c4 at REMOTE_END_HOST esp.7c7e290f at 10.59.31.49 tun.0 at REMOTE_END_HOST tun.0 at 10.59.31.49 ref=0 refhim=4294901761 Traffic: ESPout=58KB ESPin=567KB! ESPmax=4194303B
000 #20: "ssl-iptrafficsig-1/1x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2411s; isakmp#1; idle; import:admin initiate
000 #20: "ssl-iptrafficsig-1/1x0" esp.c401c664 at REMOTE_END_HOST esp.5ec26044 at 10.59.31.49 tun.0 at REMOTE_END_HOST tun.0 at 10.59.31.49 ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
000 #19: "ssl-iptrafficsig-1/1x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2405s; isakmp#1; idle; import:admin initiate
000 #19: "ssl-iptrafficsig-1/1x0" esp.ce619448 at REMOTE_END_HOST esp.6ac57625 at 10.59.31.49 tun.0 at REMOTE_END_HOST tun.0 at 10.59.31.49 ref=0 refhim=4294901761 Traffic: ESPout=2KB ESPin=2KB! ESPmax=4194303B
000 #10: "ssl-iptrafficsig-1/1x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2454s; isakmp#1; idle; import:admin initiate
000 #10: "ssl-iptrafficsig-1/1x0" esp.c27d9a00 at REMOTE_END_HOST esp.9ea667fc at 10.59.31.49 tun.0 at REMOTE_END_HOST tun.0 at 10.59.31.49 ref=0 refhim=4294901761 Traffic: ESPout=2KB ESPin=1KB! ESPmax=4194303B
000 #26: "ssl-iptrafficsig-1/2x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2556s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #26: "ssl-iptrafficsig-1/2x0" esp.c5e48b50 at REMOTE_END_HOST esp.ce80491d at 10.59.31.49 tun.0 at REMOTE_END_HOST tun.0 at 10.59.31.49 ref=0 refhim=4294901761 Traffic: ESPout=39KB ESPin=1MB! ESPmax=4194303B
000 #12: "ssl-iptrafficsig-1/3x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2469s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #12: "ssl-iptrafficsig-1/3x0" esp.c13c907e at REMOTE_END_HOST esp.1469cbba at 10.59.31.49 tun.0 at REMOTE_END_HOST tun.0 at 10.59.31.49 ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=2MB! ESPmax=4194303B
000 #13: "ssl-iptrafficsig-1/4x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2479s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #13: "ssl-iptrafficsig-1/4x0" esp.cc814da7 at REMOTE_END_HOST esp.162df46b at 10.59.31.49 tun.0 at REMOTE_END_HOST tun.0 at 10.59.31.49 ref=0 refhim=4294901761 Traffic: ESPout=122KB ESPin=1MB! ESPmax=4194303B
000 #22: "ssl-iptrafficsig-1/5x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2380s; isakmp#1; idle; import:admin initiate
000 #22: "ssl-iptrafficsig-1/5x0" esp.cb7b9074 at REMOTE_END_HOST esp.3554ede3 at 10.59.31.49 tun.0 at REMOTE_END_HOST tun.0 at 10.59.31.49 ref=0 refhim=4294901761 Traffic: ESPout=372B ESPin=340B! ESPmax=4194303B
000 #14: "ssl-iptrafficsig-1/5x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2348s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #14: "ssl-iptrafficsig-1/5x0" esp.c9255d9a at REMOTE_END_HOST esp.8857fbd4 at 10.59.31.49 tun.0 at REMOTE_END_HOST tun.0 at 10.59.31.49 ref=0 refhim=4294901761 Traffic: ESPout=12KB ESPin=122KB! ESPmax=4194303B
000 #27: "ssl-iptrafficsig-1/6x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2436s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #27: "ssl-iptrafficsig-1/6x0" esp.c6ad61ed at REMOTE_END_HOST esp.db4b3c21 at 10.59.31.49 tun.0 at REMOTE_END_HOST tun.0 at 10.59.31.49 ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
000 #16: "ssl-iptrafficsig-1/7x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2483s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #16: "ssl-iptrafficsig-1/7x0" esp.c3e42509 at REMOTE_END_HOST esp.6a2fd0a8 at 10.59.31.49 tun.0 at REMOTE_END_HOST tun.0 at 10.59.31.49 ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
000 #17: "ssl-iptrafficsig-1/8x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2355s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #17: "ssl-iptrafficsig-1/8x0" esp.c80847c0 at REMOTE_END_HOST esp.a2ed620 at 10.59.31.49 tun.0 at REMOTE_END_HOST tun.0 at 10.59.31.49 ref=0 refhim=4294901761 Traffic: ESPout=10KB ESPin=98KB! ESPmax=4194303B
000 #1: "ssl-iptrafficsig-1/9x0":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 27574s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000
000 Bare Shunt list:
000
Hoping someone has seen some behaviour like this before. I have other clients on this VPN with no issues therefore I suspect it’s an issue with the strongswan instance.
Thanks
Joe
More information about the Swan
mailing list