
<html>


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


</head>


<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">


<div class="">I recently experienced an issue where a SA was established even though the new NAT mapping (the NATD source IP) was a different IP address than what was configured in my ipsec.conf file. Is this expected? Is there something I’m doing in my configuration


 files to allow this? Could this be a bug?</div>


<div class=""><br class="">


</div>


<div class="">Let me know if you need any more information. Most internal information has been altered.</div>


<div class=""><br class="">


</div>


<div class="">--------- SERVER ---------</div>


<div class="">Aug 26 20:24:53 serverhost pluto[1262]: "server" #39953: responding to Main Mode</div>


<div class="">Aug 26 20:24:53 serverhost pluto[1262]: "server" #39953: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1</div>


<div class="">Aug 26 20:24:53 serverhost pluto[1262]: "server" #39953: STATE_MAIN_R1: sent MR1, expecting MI2</div>


<div class="">Aug 26 20:24:53 serverhost pluto[1262]: "server" #39953: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2</div>


<div class="">Aug 26 20:24:53 serverhost pluto[1262]: "server" #39953: STATE_MAIN_R2: sent MR2, expecting MI3</div>


<div class="">Aug 26 20:24:54 serverhost pluto[1262]: "server" #39953: Main mode peer ID is ID_FQDN: '@theleftid'</div>


<div class="">Aug 26 20:24:54 serverhost pluto[1262]: "server" #39953: certificate CN=clientmachine,OU=Homebase,O="Craig Inc.",L=Seattle,ST=WA,C=US OK</div>


<div class="">Aug 26 20:24:54 serverhost pluto[1262]: "server" #39953: I am sending my cert</div>


<div class="">Aug 26 20:24:54 serverhost pluto[1262]: "server" #39953: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3</div>


<div class="">Aug 26 20:24:54 serverhost pluto[1262]: "server" #39953: new NAT mapping for #39953, was 1.2.3.4:500, now 1.2.3.5:5000</div>


<div class="">Aug 26 20:24:54 serverhost pluto[1262]: "server" #39953: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=aes_256 integ=sha group=MODP2048}</div>


<div class="">Aug 26 20:24:54 serverhost pluto[1262]: "server" #39953: the peer proposed: 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0</div>


<div class="">Aug 26 20:24:54 serverhost pluto[1262]: "server" #39954: responding to Quick Mode proposal {msgid:fb13fae4}</div>


<div class="">Aug 26 20:24:54 serverhost pluto[1262]: "server" #39954:     us: 0.0.0.0/0===6.7.8.9<6.7.8.9>[C=US, ST=WA, L=Seattle, O=Craig Inc., OU=Homebase, CN=servermachine]</div>


<div class="">Aug 26 20:24:54 serverhost pluto[1262]: "server" #39954:   them: 1.2.3.4<1.2.3.4>[@theleftid]===0.0.0.0/0</div>


<div class="">Aug 26 20:24:54 serverhost pluto[1262]: "server" #39954: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1</div>


<div class="">Aug 26 20:24:54 serverhost pluto[1262]: "server" #39954: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0xe49e0bdf <0x454f74aa xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=1.2.3.5:5000 DPD=passive}</div>


<div class="">Aug 26 20:24:54 serverhost pluto[1262]: "server" #39954: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2</div>


<div class="">Aug 26 20:24:54 serverhost pluto[1262]: "server" #39954: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0xe49e0bdf <0x454f74aa xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=1.2.3.5:5000 DPD=passive}</div>


<div class=""><br class="">


</div>


<div class=""><br class="">


</div>


<div class=""># begin conn server</div>


<div class="">conn server</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>left=1.2.3.4</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>leftid="@theleftid"</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>leftsubnet=0.0.0.0/0</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>left=1.2.3.4</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>right=6.7.8.9</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>rightid="%fromcert"</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>rightsubnet=0.0.0.0/0</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>rightcert=servercert</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>right=6.7.8.9</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>rightupdown=/usr/libexec/ipsec/updownscript</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>rightcert=server</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>authby=rsasig</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>vti-routing=no</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>encapsulation=yes</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>keyingtries=0</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>mark=0x4000000/0xff000000</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>vti-interface=server</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>phase2alg=aes256-sha2_256</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>auto=ignore</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>type=tunnel</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>compress=no</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>pfs=yes</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>ikepad=yes</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>authby=rsasig</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>phase2=esp</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>ikev2=permit</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>esn=no</div>


<div class=""># end conn server</div>


<div class=""><br class="">


</div>


<div class="">src 1.2.3.4 dst 6.7.8.9</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>proto esp spi 0x329b3575 reqid 16421 mode tunnel</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>replay-window 32 flag af-unspec</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>auth-trunc hmac(sha256) 0x75bc3d06f3de2c7d08ba514615729504b4b22b0fd13d0e4c69e9aa952c8cae72 128</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>enc cbc(aes) 0x2594a6f6dc5d5d7165b2569b1c83c90154e564757cc3ad0e957d06be957863c9</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>encap type espinudp sport 5000 dport 4500 addr 0.0.0.0</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>anti-replay context: seq 0xda9, oseq 0x0, bitmap 0xffffffff</div>


<div class="">src 6.7.8.9 dst 1.2.3.4</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>proto esp spi 0x9c1840e1 reqid 16421 mode tunnel</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>replay-window 32 flag af-unspec</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>auth-trunc hmac(sha256) 0x7ff1a608ee118b28d1d0b22e7857713e0810189ab0be0c431e1f79cd0ffaad23 128</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>enc cbc(aes) 0xd9c5d46be698f49153700b6f20551e406362e2fd671c5cf99d050242e1bd8b71</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>encap type espinudp sport 4500 dport 5000 addr 0.0.0.0</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>anti-replay context: seq 0x0, oseq 0xda0, bitmap 0x00000000</div>


<div class=""><br class="">


</div>


<div class="">src 0.0.0.0/0 dst 0.0.0.0/0 </div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>dir out priority 3136 ptype main </div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>mark 67108864/0xff000000</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>tmpl src 6.7.8.9 dst 1.2.3.4</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>proto esp reqid 16421 mode tunnel</div>


<div class="">src 0.0.0.0/0 dst 0.0.0.0/0 </div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>dir fwd priority 3136 ptype main </div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>mark 67108864/0xff000000</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>tmpl src 1.2.3.4 dst 6.7.8.9</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>proto esp reqid 16421 mode tunnel</div>


<div class="">src 0.0.0.0/0 dst 0.0.0.0/0 </div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>dir in priority 3136 ptype main </div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>mark 67108864/0xff000000</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>tmpl src 1.2.3.4 dst 6.7.8.9</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>proto esp reqid 16421 mode tunnel</div>


<div class=""><br class="">


</div>


<div class=""><br class="">


</div>


<div class="">--------- CLIENT ---------</div>


<div class="">Aug 26 20:24:53 clienthost pluto[19350]: "client" #664: initiating Main Mode</div>


<div class="">Aug 26 20:24:53 clienthost pluto[19350]: "client" #664: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2</div>


<div class="">Aug 26 20:24:53 clienthost pluto[19350]: "client" #664: STATE_MAIN_I2: sent MI2, expecting MR2</div>


<div class="">Aug 26 20:24:53 clienthost pluto[19350]: "client" #664: I am sending my cert</div>


<div class="">Aug 26 20:24:53 clienthost pluto[19350]: "client" #664: I am sending a certificate request</div>


<div class="">Aug 26 20:24:53 clienthost pluto[19350]: "client" #664: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3</div>


<div class="">Aug 26 20:24:53 clienthost pluto[19350]: "client" #664: STATE_MAIN_I3: sent MI3, expecting MR3</div>


<div class="">Aug 26 20:24:54 clienthost pluto[19350]: "client" #664: Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=WA, L=Seattle, O=Craig Inc., OU=Homebase, CN=servermachine'</div>


<div class="">Aug 26 20:24:54 clienthost pluto[19350]: "client" #664: certificate CN=servermachine,OU=Homebase,O="Craig Inc.",L=Seattle,ST=WA,C=US OK</div>


<div class="">Aug 26 20:24:54 clienthost pluto[19350]: "client" #664: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4</div>


<div class="">Aug 26 20:24:54 clienthost pluto[19350]: "client" #664: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=aes_256 integ=sha group=MODP2048}</div>


<div class="">Aug 26 20:24:54 clienthost pluto[19350]: "client" #665: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#664 msgid:fb13fae4 proposal=AES(12)_256-SHA2_256(5) pfsgroup=MODP2048}</div>


<div class="">Aug 26 20:24:54 clienthost pluto[19350]: "client" #665: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2</div>


<div class="">Aug 26 20:24:54 clienthost pluto[19350]: "client" #665: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x454f74aa <0xe49e0bdf xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=6.7.8.9:4500 DPD=active}</div>


<div class=""><br class="">


</div>


<div class=""><br class="">


</div>


<div class=""># begin conn client</div>


<div class="">conn client</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>left=1.2.3.4</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>leftid="@theleftid"</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>leftsubnet=0.0.0.0/0</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>leftcert=clientcert</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>left=1.2.3.4</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>right=6.7.8.9</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>rightid="%fromcert"</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>rightsubnet=0.0.0.0/0</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>right=6.7.8.9</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>authby=rsasig</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>vti-routing=no</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>vti-shared=yes</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>encapsulation=yes</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>keyingtries=0</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>dpddelay=30</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>dpdtimeout=120</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>dpdaction=restart</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>mark=0x2000000/0xff000000</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>vti-interface=client</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>phase2alg=aes256-sha2_256</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>auto=ignore</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>type=tunnel</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>compress=no</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>pfs=yes</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>ikepad=yes</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>authby=rsasig</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>phase2=esp</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>ikev2=permit</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>esn=no</div>


<div class=""># end conn client</div>


<div class=""><br class="">


</div>


<div class="">+ ip xfrm state</div>


<div class="">src 6.7.8.9 dst 1.2.3.4</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>proto esp spi 0x9c1840e1 reqid 16389 mode tunnel</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>replay-window 32 flag af-unspec</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>auth-trunc hmac(sha256) 0x7ff1a608ee118b28d1d0b22e7857713e0810189ab0be0c431e1f79cd0ffaad23 128</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>enc cbc(aes) 0xd9c5d46be698f49153700b6f20551e406362e2fd671c5cf99d050242e1bd8b71</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>encap type espinudp sport 4500 dport 4500 addr 0.0.0.0</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000</div>


<div class="">src 1.2.3.4 dst 6.7.8.9</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>proto esp spi 0x329b3575 reqid 16389 mode tunnel</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>replay-window 32 flag af-unspec</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>auth-trunc hmac(sha256) 0x75bc3d06f3de2c7d08ba514615729504b4b22b0fd13d0e4c69e9aa952c8cae72 128</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>enc cbc(aes) 0x2594a6f6dc5d5d7165b2569b1c83c90154e564757cc3ad0e957d06be957863c9</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>encap type espinudp sport 4500 dport 4500 addr 0.0.0.0</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>anti-replay context: seq 0x0, oseq 0xce9, bitmap 0x00000000</div>


<div class="">+ _________________________ ip-xfrm-policy</div>


<div class="">+ ip xfrm policy</div>


<div class="">src 0.0.0.0/0 dst 0.0.0.0/0 </div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>dir out priority 3136 ptype main </div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>mark 33554432/0xff000000</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>tmpl src 1.2.3.4 dst 6.7.8.9</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>proto esp reqid 16389 mode tunnel</div>


<div class="">src 0.0.0.0/0 dst 0.0.0.0/0 </div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>dir fwd priority 3136 ptype main </div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>mark 33554432/0xff000000</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>tmpl src 6.7.8.9 dst 1.2.3.4</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>proto esp reqid 16389 mode tunnel</div>


<div class="">src 0.0.0.0/0 dst 0.0.0.0/0 </div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>dir in priority 3136 ptype main </div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>mark 33554432/0xff000000</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>tmpl src 6.7.8.9 dst 1.2.3.4</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>proto esp reqid 16389 mode tunnel</div>


<div class="">


<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">


<br class="Apple-interchange-newline">


--</div>


<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">


cm</div>


</div>


<br class="">


</body>


</html>