<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">I'm having a bit of trouble with opportunistic IPSec, specifically getting failover to clear working. Here is my setup:<div class=""><br class=""></div><div class="">* Redhat 7 on AWS in FIPS mode, libreswan 3.20.</div><div class="">* An SSH jump box with:</div><div class="">  - the main eth0 interface is on a public subnet (10.0.0.0/24); This traffic need not be encrypted. This also has an elastic IP, but I don’t think that matters here.</div><div class="">  - a second interface eth1 on a private subnet (10.0.1.0/24). This subnet should (almost) always be encrypted.</div><div class="">  - opportunistic configuration mostly taken from the Wiki example for the private-or-clear section. One important change was <span style="font-family: Menlo; font-size: 11px; background-color: rgb(255, 255, 255);" class="">left=10.0.1.100</span></div><div class="">  - the “clear” policy includes just the gateway (10.0.1.1/32)</div><div class="">  - the “private-or-clear” policy includes the rest of the subnet (10.0.1.0/24)</div><div class="">* A client configured for OE at 10.0.1.21.</div><div class="">  - the “private” policy is set to the subnet (10.0.1.0/24) </div><div class="">  - the “clear” policy is the gateway (10.0.1.1/32)</div><div class="">* A client without IPSEC at 10.0.1.22.</div><div class=""><br class=""></div><div class="">The idea here is that when starting new VMs in the private subnet I need to first go through the jump box to configure the IPSEC tunnels. So I need to fail over to clear until they are setup. But once they are configured I should only use encrypted traffic. What I am seeing is that I can connect to the properly configured host via the IPSEC tunnel, but I cannot get to the unconfigured host.</div><div class=""><br class=""></div><div class="">When I run “ipsec status” the connection list is interesting: specifically in the “clear” section the only interface listed is eth0 (see below). I have tried using both the “<span style="background-color: rgb(255, 255, 255);" class=""><font face="Menlo" class=""><span style="font-size: 11px;" class="">interfaces” and </span></font></span><span style="background-color: rgb(255, 255, 255);" class=""><font face="Menlo" class=""><span style="font-size: 11px;" class="">“listen”</span></font></span> parameters in the main config section but even then the best I can do is get a blank value for the interface in the clear section. Any ideas?</div><div class=""><br class=""></div><div class="">----------------------</div><div class=""><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><br class=""></div></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 Connection list:</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000  </span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear": 10.0.0.100---10.0.0.1...%group; unrouted; eroute owner: #0</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear":     oriented; my_ip=unset; their_ip=unset</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear":   our auth:unset, their auth:unset</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear":   labeled_ipsec:no;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear":   policy_label:unset;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear":   ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear":   retransmit-interval: 0ms; retransmit-timeout: 0s;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear":   sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear":   policy: PFS+GROUP+GROUTED+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+PASS+NEVER_NEGOTIATE;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear":   conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear":   dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear":   newest ISAKMP SA: #0; newest IPsec SA: #0;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear#10.0.1.1/32": 10.0.0.100---10.0.0.1...%any; prospective erouted; eroute owner: #0</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear#10.0.1.1/32":     oriented; my_ip=unset; their_ip=unset</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear#10.0.1.1/32":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear#10.0.1.1/32":   our auth:unset, their auth:unset</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear#10.0.1.1/32":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear#10.0.1.1/32":   labeled_ipsec:no;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear#10.0.1.1/32":   policy_label:unset;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear#10.0.1.1/32":   ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear#10.0.1.1/32":   retransmit-interval: 0ms; retransmit-timeout: 0s;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear#10.0.1.1/32":   sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear#10.0.1.1/32":   policy: PFS+GROUPINSTANCE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+PASS+NEVER_NEGOTIATE;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear#10.0.1.1/32":   conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear#10.0.1.1/32":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear#10.0.1.1/32":   dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "clear#10.0.1.1/32":   newest ISAKMP SA: #0; newest IPsec SA: #0;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear": 10.0.1.100<10.0.1.100>[CA-INFO-REDACTED]...%opportunisticgroup[%fromcert]; unrouted; eroute owner: #0</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear":     oriented; my_ip=unset; their_ip=unset; mycert=</span> CA-INFO-REDACTED</div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear":   our auth:rsasig, their auth:rsasig</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear":   labeled_ipsec:no;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear":   policy_label:unset;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear":   CAs: 'CA-INFO-REDACTED'</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear":   ike_life: 3600s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear":   retransmit-interval: 500ms; retransmit-timeout: 3s;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear":   sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear":   conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear":   newest ISAKMP SA: #0; newest IPsec SA: #0;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24": 10.0.1.100<10.0.1.100>[CA-INFO-REDACTED]...%opportunistic[%fromcert]===10.0.1.0/24; prospective erouted; eroute owner: #0</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24":     oriented; my_ip=unset; their_ip=unset; mycert=</span> CA-INFO-REDACTED</div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24":   our auth:rsasig, their auth:rsasig</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24":   labeled_ipsec:no;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24":   policy_label:unset;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24":   CAs: 'CA-INFO-REDACTED'</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24":   ike_life: 3600s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24":   retransmit-interval: 500ms; retransmit-timeout: 3s;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24":   sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24":   conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24":   newest ISAKMP SA: #0; newest IPsec SA: #0;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24"[1]: 10.0.1.100<10.0.1.100>[CA-INFO-REDACTED]...10.0.1.21[CA-INFO-REDACTED]; erouted; eroute owner: #2</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24"[1]:     oriented; my_ip=unset; their_ip=unset; mycert=</span> CA-INFO-REDACTED</div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24"[1]:   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24"[1]:   our auth:rsasig, their auth:rsasig</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24"[1]:   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24"[1]:   labeled_ipsec:no;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24"[1]:   policy_label:unset;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24"[1]:   CAs: 'CA-INFO-REDACTED'</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24"[1]:   ike_life: 3600s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24"[1]:   retransmit-interval: 500ms; retransmit-timeout: 3s;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24"[1]:   sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24"[1]:   policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24"[1]:   conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24"[1]:   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24"[1]:   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24"[1]:   newest ISAKMP SA: #1; newest IPsec SA: #2;</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24"[1]:   IKEv2 algorithm newest: AES_GCM_C_256-AUTH_NONE-PRF_HMAC_SHA2_512-MODP2048</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 "private-or-clear#10.0.1.0/24"[1]:   ESP algorithm newest: AES_GCM_C_256-NONE; pfsgroup=<Phase1></span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><SNIP></span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 Total IPsec connections: loaded 7, active 1</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000  </span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 State Information: DDoS cookies not required, Accepting new IKE connections</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 IKE SAs: total(1), half-open(0), open(0), authenticated(0), anonymous(1)</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 IPsec SAs: total(1), authenticated(0), anonymous(1)</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000  </span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 #2: "private-or-clear#10.0.1.0/24"[1] ...10.0.1.21:500 STATE_V2_IPSEC_I (IPsec SA established); EVENT_v2_SA_REPLACE_IF_USED in 2627s; newest IPSEC; eroute owner; isakmp#1; idle; import:local rekey</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 #2: "private-or-clear#10.0.1.0/24"[1] ...10.0.1.21 <a href="mailto:esp.5ea67249@10.0.1.21" class="">esp.5ea67249@10.0.1.21</a> <a href="mailto:esp.1248e35f@10.0.1.100" class="">esp.1248e35f@10.0.1.100</a> <a href="mailto:tun.0@10.0.1.21" class="">tun.0@10.0.1.21</a> <a href="mailto:tun.0@10.0.1.100" class="">tun.0@10.0.1.100</a> ref=0 refhim=0 Traffic: ESPin=4KB ESPout=5KB! ESPmax=0B </span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 #1: "private-or-clear#10.0.1.0/24"[1] ...10.0.1.21:500 STATE_PARENT_I3 (PARENT SA established); EVENT_v2_SA_REPLACE_IF_USED_IKE in 2837s; newest ISAKMP; isakmp#0; idle; import:local rekey</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 #1: "private-or-clear#10.0.1.0/24"[1] ...10.0.1.21 ref=0 refhim=0 Traffic: </span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000  </span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 Bare Shunt list:</span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000  </span></div><div style="margin: 0px; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">000 10.0.1.100/32:0 -0-> 10.0.1.22/32:0 => %unk-0 0    oe-failed</span></div></span></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div></div></body></html>