Re: [strongSwan] Site-to-Site with Cisco devices

Tom Rymes Sat, 28 Nov 2015 19:24:57 -0800

On Nov 28, 2015, at 1:58 PM, Noel Kuntze <n...@familie-kuntze.de> wrote:
> Hello Tom,
> 
> Provide logs and configuration details, so we can aid you in debuggin it.
> We can't help you without detailed information.
> It's probably a configuration problem.


Thanks, Neil. For the record, I am using Cisco Configuration Professional 
Express 3.2, which is a web interface. I’m not certain that I will end up using 
that interface, but it’s what I am testing now. I did experience this issue 
before when trying to connect with a  Software vendor’s Cisco ASA.

OK, I have set up another test connection. One thing I noticed right away is 
that I can get the tunnel up, but I cannot get traffic to flow (that might be a 
firewall issue on the cisco end). However, “ipsec status” shows this. I have no 
idea why there are three child SAs after only two minutes:

   ciscotest[218]: ESTABLISHED 2 minutes ago, 
75.144.180.161[75.144.180.161]...70.90.104.189[70.90.104.189]
   ciscotest{972}:  INSTALLED, TUNNEL, reqid 57, ESP SPIs: cd9d4ba9_i 927d8324_o
   ciscotest{972}:   10.2.0.0/16 === 10.10.10.0/24 
   ciscotest{973}:  INSTALLED, TUNNEL, reqid 57, ESP SPIs: c54b639d_i ca4c6022_o
   ciscotest{973}:   10.2.0.0/16 === 10.10.10.0/24 
   ciscotest{974}:  INSTALLED, TUNNEL, reqid 57, ESP SPIs: c81b266c_i b563d7f6_o
   ciscotest{974}:   10.2.0.0/16 === 10.10.10.0/24 

The Strongswan config looks like this:

version 2

conn %default
        keyingtries=%forever

include /etc/ipsec.user.conf

conn Data
        left=ip.add.res.s1
        leftsubnet=10.2.0.0/16
        leftfirewall=yes
        lefthostaccess=yes
        right=ip.add.res.s2
        rightsubnet=10.100.0.0/23
        leftcert=/var/ipfire/certs/hostcert.pem
        rightcert=/var/ipfire/certs/Datacert.pem
        leftid="@lefthost"
        rightid="@righthost"
        
ike=aes256-sha2_256-ecp512bp,aes256-sha2_256-ecp384bp,aes256-sha2_256-ecp256bp,aes256-sha2_256-ecp224bp,aes192-sha2_256-ecp512bp,aes192-sha2_256-ecp384bp,aes192-sha2_256-ecp256bp,aes192-sha2_256-ecp224bp,aes128-sha2_256-ecp512bp,aes128-sha2_256-ecp384bp,aes128-sha2_256-ecp256bp,aes128-sha2_256-ecp224bp
        
esp=aes256-sha2_256-ecp512bp,aes256-sha2_256-ecp384bp,aes256-sha2_256-ecp256bp,aes256-sha2_256-ecp224bp,aes192-sha2_256-ecp512bp,aes192-sha2_256-ecp384bp,aes192-sha2_256-ecp256bp,aes192-sha2_256-ecp224bp,aes128-sha2_256-ecp512bp,aes128-sha2_256-ecp384bp,aes128-sha2_256-ecp256bp,aes128-sha2_256-ecp224bp
        keyexchange=ikev2
        ikelifetime=8h
        keylife=1h
        compress=yes
        dpdaction=restart
        dpddelay=30
        dpdtimeout=120
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        auto=start
        fragmentation=yes

conn ciscotest
        left=ip.add.res.s1
        leftsubnet=10.2.0.0/16
        leftfirewall=yes
        lefthostaccess=yes
        right=ip.add.res.s3
        rightsubnet=10.10.10.0/24
        
ike=aes256-sha2_512-modp1536,aes256-sha2_512-modp1024,aes256-sha2_384-modp1536,aes256-sha2_384-modp1024,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha-modp1536,aes256-sha-modp1024,aes256-md5-modp1536,aes256-md5-modp1024,aes192-sha2_512-modp1536,aes192-sha2_512-modp1024,aes192-sha2_384-modp1536,aes192-sha2_384-modp1024,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha-modp1536,aes192-sha-modp1024,aes192-md5-modp1536,aes192-md5-modp1024,aes128-sha2_512-modp1536,aes128-sha2_512-modp1024,aes128-sha2_384-modp1536,aes128-sha2_384-modp1024,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024
        
esp=aes256-sha2_512-modp1536,aes256-sha2_512-modp1024,aes256-sha2_384-modp1536,aes256-sha2_384-modp1024,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-md5-modp1536,aes256-md5-modp1024,aes192-sha2_512-modp1536,aes192-sha2_512-modp1024,aes192-sha2_384-modp1536,aes192-sha2_384-modp1024,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha1-modp1536,aes192-sha1-modp1024,aes192-md5-modp1536,aes192-md5-modp1024,aes128-sha2_512-modp1536,aes128-sha2_512-modp1024,aes128-sha2_384-modp1536,aes128-sha2_384-modp1024,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024
        keyexchange=ikev2
        ikelifetime=3h
        keylife=1h
        compress=yes
        dpdaction=restart
        dpddelay=30
        dpdtimeout=120
        authby=secret
        auto=start
        fragmentation=yes

conn NumberThree
        left=ip.add.res.s1
        leftsubnet=10.2.0.0/16
        leftfirewall=yes
        lefthostaccess=yes
        right=ip.add.res.s4
        rightsubnet=192.168.0.0/21
        leftcert=/var/ipfire/certs/hostcert.pem
        rightcert=/var/ipfire/certs/NumberThreecert.pem
        leftid="@lefthost"
        rightid="@righthost2"
        
ike=aes256gcm128-sha2_512-ecp512bp,aes256gcm128-sha2_512-ecp384bp,aes256gcm128-sha2_512-ecp256bp,aes256gcm128-sha2_512-ecp224bp,aes256gcm128-sha2_256-ecp512bp,aes256gcm128-sha2_256-ecp384bp,aes256gcm128-sha2_256-ecp256bp,aes256gcm128-sha2_256-ecp224bp,aes256gcm96-sha2_512-ecp512bp,aes256gcm96-sha2_512-ecp384bp,aes256gcm96-sha2_512-ecp256bp,aes256gcm96-sha2_512-ecp224bp,aes256gcm96-sha2_256-ecp512bp,aes256gcm96-sha2_256-ecp384bp,aes256gcm96-sha2_256-ecp256bp,aes256gcm96-sha2_256-ecp224bp,aes256gcm64-sha2_512-ecp512bp,aes256gcm64-sha2_512-ecp384bp,aes256gcm64-sha2_512-ecp256bp,aes256gcm64-sha2_512-ecp224bp,aes256gcm64-sha2_256-ecp512bp,aes256gcm64-sha2_256-ecp384bp,aes256gcm64-sha2_256-ecp256bp,aes256gcm64-sha2_256-ecp224bp,aes256-sha2_512-ecp512bp,aes256-sha2_512-ecp384bp,aes256-sha2_512-ecp256bp,aes256-sha2_512-ecp224bp,aes256-sha2_256-ecp512bp,aes256-sha2_256-ecp384bp,aes256-sha2_256-ecp256bp,aes256-sha2_256-ecp224bp,aes192gcm128-sha2_512-ecp512bp,aes192gcm128-sha2_512-ecp384bp,aes192gcm128-sha2_512-ecp256bp,aes192gcm128-sha2_512-ecp224bp,aes192gcm128-sha2_256-ecp512bp,aes192gcm128-sha2_256-ecp384bp,aes192gcm128-sha2_256-ecp256bp,aes192gcm128-sha2_256-ecp224bp,aes192gcm96-sha2_512-ecp512bp,aes192gcm96-sha2_512-ecp384bp,aes192gcm96-sha2_512-ecp256bp,aes192gcm96-sha2_512-ecp224bp,aes192gcm96-sha2_256-ecp512bp,aes192gcm96-sha2_256-ecp384bp,aes192gcm96-sha2_256-ecp256bp,aes192gcm96-sha2_256-ecp224bp,aes192gcm64-sha2_512-ecp512bp,aes192gcm64-sha2_512-ecp384bp,aes192gcm64-sha2_512-ecp256bp,aes192gcm64-sha2_512-ecp224bp,aes192gcm64-sha2_256-ecp512bp,aes192gcm64-sha2_256-ecp384bp,aes192gcm64-sha2_256-ecp256bp,aes192gcm64-sha2_256-ecp224bp,aes192-sha2_512-ecp512bp,aes192-sha2_512-ecp384bp,aes192-sha2_512-ecp256bp,aes192-sha2_512-ecp224bp,aes192-sha2_256-ecp512bp,aes192-sha2_256-ecp384bp,aes192-sha2_256-ecp256bp,aes192-sha2_256-ecp224bp
        
esp=aes256gcm128-ecp512bp,aes256gcm128-ecp384bp,aes256gcm128-ecp256bp,aes256gcm128-ecp224bp,aes256gcm96-ecp512bp,aes256gcm96-ecp384bp,aes256gcm96-ecp256bp,aes256gcm96-ecp224bp,aes256gcm64-ecp512bp,aes256gcm64-ecp384bp,aes256gcm64-ecp256bp,aes256gcm64-ecp224bp,aes256-sha2_512-ecp512bp,aes256-sha2_512-ecp384bp,aes256-sha2_512-ecp256bp,aes256-sha2_512-ecp224bp,aes256-sha2_256-ecp512bp,aes256-sha2_256-ecp384bp,aes256-sha2_256-ecp256bp,aes256-sha2_256-ecp224bp,aes192gcm128-ecp512bp,aes192gcm128-ecp384bp,aes192gcm128-ecp256bp,aes192gcm128-ecp224bp,aes192gcm96-ecp512bp,aes192gcm96-ecp384bp,aes192gcm96-ecp256bp,aes192gcm96-ecp224bp,aes192gcm64-ecp512bp,aes192gcm64-ecp384bp,aes192gcm64-ecp256bp,aes192gcm64-ecp224bp,aes192-sha2_512-ecp512bp,aes192-sha2_512-ecp384bp,aes192-sha2_512-ecp256bp,aes192-sha2_512-ecp224bp,aes192-sha2_256-ecp512bp,aes192-sha2_256-ecp384bp,aes192-sha2_256-ecp256bp,aes192-sha2_256-ecp224bp
        keyexchange=ikev2
        ikelifetime=3h
        keylife=1h
        compress=yes
        dpdaction=restart
        dpddelay=30
        dpdtimeout=120
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        auto=start
        fragmentation=yes

————————————————————————————————————————————

From there, the cisco config looks like this (it’s the whole thing):

! Last configuration change at 21:19:07 GMT Sat Nov 28 2015 by admin
! NVRAM config last updated at 21:19:02 GMT Sat Nov 28 2015 by admin
!
version 15.5
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname myrouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
aaa authorization network local-group-author-list local 
!
aaa session-id common
ethernet lmi ce
memory-size iomem 10
clock timezone GMT -5 0
!
crypto pki trustpoint TP-self-signed-340
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-340
 revocation-check none
 rsakeypair TP-self-signed-340
!
!
crypto pki certificate chain TP-self-signed-340
 certificate self-signed 01

[SNIP]

        quit
!
ip nbar http-services
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
 import all
 network 10.10.10.0 255.255.255.248
 default-router 10.10.10.1 
 dns-server 75.75.75.75 75.75.76.76 
 lease 0 2
!
ip domain name mydomain.dom
ip name-server 75.75.75.75
ip name-server 75.75.76.76
ip cef
no ipv6 cef
!
flow record nbar-appmon
 match ipv4 source address
 match ipv4 destination address
 match application name
 collect interface output
 collect counter bytes
 collect counter packets
 collect timestamp absolute first
 collect timestamp absolute last
!
flow monitor application-mon
 cache timeout active 60
 record nbar-appmon
!
parameter-map type inspect global
 max-incomplete low 18000
 max-incomplete high 20000
 nbar-classify
!
multilink bundle-name authenticated
license udi pid CISCO881-K9 sn 1234567890
license boot module c880-data level advipservices
!
object-group service INTERNAL_UTM_SERVICE 
!
object-group network Others_dst_net 
 any
!
object-group network Others_src_net 
 any
!
object-group service Others_svc 
 ip
!
object-group network Web_dst_net 
 any
!
object-group network Web_src_net 
 any
!
object-group service Web_svc 
 ip
!
object-group network allowall_dst_net 
 any
!
object-group network allowall_src_net 
 any
!
object-group service allowall_svc 
 ip
!
object-group network local_cws_net 
!
object-group network local_lan_subnets 
 10.10.10.0 255.255.255.128
!
object-group network vpn_remote_subnets 
 10.2.0.0 255.255.0.0
!
username admin privilege 15 secret 5 myencryptedpassword
!
crypto ikev2 authorization policy authpolicy1 
 route set interface Vlan1
!
crypto ikev2 proposal default
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha512 sha384 sha256 sha1 md5
 group 5 2
!
crypto ikev2 policy default
 match fvrf any
 proposal default
!
crypto ikev2 keyring key
 peer SITE-KEY
  address ip.add.res.s1
  identity address ip.add.res.s1
  pre-shared-key MyPaSsWoRd
!
crypto ikev2 profile prof
 match identity remote address ip.add.res.s1 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local key
 aaa authorization group psk list local-group-author-list authpolicy1
!
crypto ikev2 dpd 10 2 periodic
!
no cdp run
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
 match protocol msnmsgr
 match protocol ymsgr
class-map type inspect match-any Others_app
 match protocol https
 match protocol smtp
 match protocol pop3
 match protocol imap
 match protocol sip
 match protocol ftp
 match protocol dns
 match protocol icmp
class-map type inspect match-all allowall
  description Allow All Traffic
 match access-group name allowall_acl
class-map type inspect match-any Web_app
 match protocol http
class-map type inspect match-all Others
 match class-map Others_app
 match access-group name Others_acl
class-map type inspect match-all Web
 match class-map Web_app
 match access-group name Web_acl
!
policy-map type inspect LAN-WAN-POLICY
 class type inspect allowall
  inspect 
 class type inspect Web
  inspect 
 class type inspect Others
  inspect 
 class type inspect INTERNAL_DOMAIN_FILTER
  inspect 
 class class-default
  drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
 service-policy type inspect LAN-WAN-POLICY
!
crypto ipsec transform-set test_trans esp-aes esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile test_profile
 set transform-set test_trans 
 set ikev2-profile prof
!
interface Tunnel0
 ip address 10.10.10.1 255.255.255.0
 zone-member security VPN
 tunnel source FastEthernet4
 tunnel mode ipsec ipv4
 tunnel destination ip.add.res.s1
 tunnel protection ipsec profile test_profile
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 description PrimaryWANDesc_
 ip address ip.add.res.s4 255.255.255.252
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly in
 zone-member security WAN
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 10.10.10.1 255.255.255.248
 ip nbar protocol-discovery
 ip flow monitor application-mon input
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 zone-member security LAN
 ip tcp adjust-mss 1452
 load-interval 30
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list nat-list interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 ip.add.res.s4
!
ip access-list extended INTRANET-WHITELIST
 permit ip any 10.2.0.0 0.0.255.255
ip access-list extended Others_acl
 permit object-group Others_svc object-group Others_src_net object-group 
Others_dst_net
ip access-list extended Web_acl
 permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
ip access-list extended allowall_acl
 permit object-group allowall_svc object-group allowall_src_net object-group 
allowall_dst_net
ip access-list extended nat-list
 deny   ip object-group local_lan_subnets object-group vpn_remote_subnets
 permit ip object-group local_lan_subnets any
 deny   ip any any
!
!
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
!
control-plane
!
!
banner exec 
% Password expiration warning.
-----------------------------------------------------------------------
[SNIP]
-----------------------------------------------------------------------

banner login 
-----------------------------------------------------------------------
[SNIP]
-----------------------------------------------------------------------

!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
ntp master
ntp server 0.north-america.pool.ntp.org
!
end

———————————————————————————————————————————————————————————

Strong swan logs (output to the kernel log)

Nov 28 21:35:07 site1 charon: 05[NET] received packet: from ip.add.res.s3[500] 
to ip.add.res.s1[500] (508 bytes) 
Nov 28 21:35:07 site1 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No V 
V N(NATD_S_IP) N(NATD_D_IP) ] 
Nov 28 21:35:07 site1 charon: 05[IKE] received Cisco Delete Reason vendor ID 
Nov 28 21:35:07 site1 charon: 05[ENC] received unknown vendor ID: 
46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44 
Nov 28 21:35:08 site1 charon: 05[IKE] ip.add.res.s3 is initiating an IKE_SA 
Nov 28 21:35:08 site1 charon: 05[IKE] ip.add.res.s3 is initiating an IKE_SA 
Nov 28 21:35:08 site1 charon: 05[IKE] sending cert request for "C=US, ST=ZZ, 
L=site1, O=myco, OU=Engineering Dept, CN=myco CA, E=t...@myco.com" 
Nov 28 21:35:08 site1 charon: 05[IKE] sending cert request for "C=US, ST=ZZ, 
L=site2, O=myco, OU=Engineering Dept, CN=myco CA, E=t...@myco.com" 
Nov 28 21:35:08 site1 charon: 05[IKE] sending cert request for "C=US, ST=ZZ, 
L=site3, O=myco, OU=Engineering Dept, CN=myco CA, E=t...@myco.com" 
Nov 28 21:35:08 site1 charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE 
No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] 
Nov 28 21:35:08 site1 charon: 05[NET] sending packet: from ip.add.res.s1[500] 
to ip.add.res.s3[500] (441 bytes) 
Nov 28 21:35:08 site1 charon: 16[NET] received packet: from ip.add.res.s3[500] 
to ip.add.res.s1[500] (624 bytes) 
Nov 28 21:35:09 site1 charon: 16[ENC] unknown attribute type (28692) 
Nov 28 21:35:09 site1 charon: 16[ENC] parsed IKE_AUTH request 1 [ V IDi AUTH 
CPRQ(DNS DNS NBNS NBNS SUBNET DNS6 SUBNET6 VER U_SPLITDNS U_BANNER (28692) 
U_BKPSRV U_DEFDOM) SA TSi T
Sr N(INIT_CONTACT) N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ] 
Nov 28 21:35:09 site1 charon: 16[CFG] looking for peer configs matching 
ip.add.res.s1[%any]...ip.add.res.s3[ip.add.res.s3] 
Nov 28 21:35:09 site1 charon: 16[CFG] selected peer config 'ciscotest' 
Nov 28 21:35:09 site1 charon: 16[IKE] tried 1 shared key for '%any' - 
'ip.add.res.s3', but MAC mismatched 
Nov 28 21:35:09 site1 charon: 16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, 
not using ESPv3 TFC padding 
Nov 28 21:35:10 site1 charon: 16[ENC] generating IKE_AUTH response 1 [ 
N(AUTH_FAILED) ] 
Nov 28 21:35:10 site1 charon: 16[NET] sending packet: from ip.add.res.s1[500] 
to ip.add.res.s3[500] (96 bytes) 
Nov 28 21:35:16 site1 charon: 01[NET] received packet: from ip.add.res.s3[500] 
to ip.add.res.s1[500] (508 bytes) 
Nov 28 21:35:16 site1 charon: 01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No V 
V N(NATD_S_IP) N(NATD_D_IP) ] 
Nov 28 21:35:16 site1 charon: 01[IKE] received Cisco Delete Reason vendor ID 
Nov 28 21:35:16 site1 charon: 01[ENC] received unknown vendor ID: 
46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44 
Nov 28 21:35:16 site1 charon: 01[IKE] ip.add.res.s3 is initiating an IKE_SA 
Nov 28 21:35:16 site1 charon: 01[IKE] ip.add.res.s3 is initiating an IKE_SA 
Nov 28 21:35:16 site1 charon: 01[IKE] sending cert request for "C=US, ST=ZZ, 
L=site1, O=myco, OU=Engineering Dept, CN=myco CA, E=t...@myco.com" 
Nov 28 21:35:17 site1 charon: 01[IKE] sending cert request for "C=US, ST=ZZ, 
L=site2, O=myco, OU=Engineering Dept, CN=myco CA, E=t...@myco.com" 
Nov 28 21:35:17 site1 charon: 01[IKE] sending cert request for "C=US, ST=ZZ, 
L=site3, O=myco, OU=Engineering Dept, CN=myco CA, E=t...@myco.com" 
Nov 28 21:35:17 site1 charon: 01[ENC] generating IKE_SA_INIT response 0 [ SA KE 
No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] 
Nov 28 21:35:17 site1 charon: 01[NET] sending packet: from ip.add.res.s1[500] 
to ip.add.res.s3[500] (441 bytes) 
Nov 28 21:35:17 site1 charon: 06[NET] received packet: from ip.add.res.s3[500] 
to ip.add.res.s1[500] (624 bytes) 
Nov 28 21:35:17 site1 charon: 06[ENC] unknown attribute type (28692) 
Nov 28 21:35:17 site1 charon: 06[ENC] parsed IKE_AUTH request 1 [ V IDi AUTH 
CPRQ(DNS DNS NBNS NBNS SUBNET DNS6 SUBNET6 VER U_SPLITDNS U_BANNER (28692) 
U_BKPSRV U_DEFDOM) SA TSi T
Sr N(INIT_CONTACT) N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ] 
Nov 28 21:35:18 site1 charon: 06[CFG] looking for peer configs matching 
ip.add.res.s1[%any]...ip.add.res.s3[ip.add.res.s3] 
Nov 28 21:35:18 site1 charon: 06[CFG] selected peer config 'ciscotest' 
Nov 28 21:35:18 site1 charon: 06[IKE] authentication of 'ip.add.res.s3' with 
pre-shared key successful 
Nov 28 21:35:18 site1 charon: 06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, 
not using ESPv3 TFC padding 
Nov 28 21:35:18 site1 charon: 06[IKE] authentication of 'ip.add.res.s1' 
(myself) with pre-shared key 
Nov 28 21:35:18 site1 charon: 06[IKE] IKE_SA ciscotest[218] established between 
ip.add.res.s1[ip.add.res.s1]...ip.add.res.s3[ip.add.res.s3] 
Nov 28 21:35:18 site1 charon: 06[IKE] IKE_SA ciscotest[218] established between 
ip.add.res.s1[ip.add.res.s1]...ip.add.res.s3[ip.add.res.s3] 
Nov 28 21:35:18 site1 charon: 06[IKE] scheduling reauthentication in 9901s 
Nov 28 21:35:19 site1 charon: 06[IKE] maximum IKE_SA lifetime 10441s 
Nov 28 21:35:19 site1 charon: 06[IKE] CHILD_SA ciscotest{972} established with 
SPIs cd9d4ba9_i 927d8324_o and TS 10.2.0.0/16 === 10.10.10.0/24  
Nov 28 21:35:19 site1 charon: 06[IKE] CHILD_SA ciscotest{972} established with 
SPIs cd9d4ba9_i 927d8324_o and TS 10.2.0.0/16 === 10.10.10.0/24  
Nov 28 21:35:19 site1 vpn: client+ ip.add.res.s3 10.10.10.0/24 == ip.add.res.s3 
-- ip.add.res.s1 == 10.2.0.0/16
Nov 28 21:35:19 site1 vpn: tunnel+ ip.add.res.s3 -- ip.add.res.s1
Nov 28 21:35:19 site1 vpn: snat+ red0-ip.add.res.s1 : 10.10.10.0/24 - 10.2.0.1
Nov 28 21:35:19 site1 charon: 06[ENC] generating IKE_AUTH response 1 [ IDr AUTH 
SA TSi TSr N(AUTH_LFT) ] 
Nov 28 21:35:20 site1 charon: 06[NET] sending packet: from ip.add.res.s1[500] 
to ip.add.res.s3[500] (272 bytes) 
Nov 28 21:35:20 site1 charon: 03[MGR] ignoring request with ID 1, already 
processing 
Nov 28 21:35:20 site1 charon: 04[NET] received packet: from ip.add.res.s3[500] 
to ip.add.res.s1[500] (112 bytes) 
Nov 28 21:35:20 site1 charon: 04[ENC] parsed INFORMATIONAL request 2 [ 
CPS(SUBNET) ] 
Nov 28 21:35:20 site1 charon: 04[ENC] generating INFORMATIONAL response 2 [ ] 
Nov 28 21:35:20 site1 charon: 04[NET] sending packet: from ip.add.res.s1[500] 
to ip.add.res.s3[500] (96 bytes) 
Nov 28 21:35:28 site1 charon: 14[NET] received packet: from ip.add.res.s3[500] 
to ip.add.res.s1[500] (96 bytes) 
Nov 28 21:35:28 site1 charon: 14[ENC] parsed INFORMATIONAL request 3 [ ] 
Nov 28 21:35:28 site1 charon: 14[ENC] generating INFORMATIONAL response 3 [ ] 
Nov 28 21:35:29 site1 charon: 14[NET] sending packet: from ip.add.res.s1[500] 
to ip.add.res.s3[500] (96 bytes) 
Nov 28 21:35:38 site1 charon: 15[NET] received packet: from ip.add.res.s3[500] 
to ip.add.res.s1[500] (96 bytes) 
Nov 28 21:35:38 site1 charon: 15[ENC] parsed INFORMATIONAL request 4 [ ] 
Nov 28 21:35:39 site1 charon: 15[ENC] generating INFORMATIONAL response 4 [ ] 
Nov 28 21:35:39 site1 charon: 15[NET] sending packet: from ip.add.res.s1[500] 
to ip.add.res.s3[500] (96 bytes) 
Nov 28 21:35:48 site1 charon: 14[NET] received packet: from ip.add.res.s3[500] 
to ip.add.res.s1[500] (96 bytes) 
Nov 28 21:35:48 site1 charon: 14[ENC] parsed INFORMATIONAL request 5 [ ] 
Nov 28 21:35:49 site1 charon: 14[ENC] generating INFORMATIONAL response 5 [ ] 
Nov 28 21:35:49 site1 charon: 14[NET] sending packet: from ip.add.res.s1[500] 
to ip.add.res.s3[500] (96 bytes) 
Nov 28 21:35:58 site1 charon: 16[NET] received packet: from ip.add.res.s3[500] 
to ip.add.res.s1[500] (96 bytes) 
Nov 28 21:35:58 site1 charon: 16[ENC] parsed INFORMATIONAL request 6 [ ] 
Nov 28 21:35:59 site1 charon: 16[ENC] generating INFORMATIONAL response 6 [ ] 
Nov 28 21:35:59 site1 charon: 16[NET] sending packet: from ip.add.res.s1[500] 
to ip.add.res.s3[500] (96 bytes) 
Nov 28 21:36:08 site1 charon: 15[NET] received packet: from ip.add.res.s3[500] 
to ip.add.res.s1[500] (96 bytes) 
Nov 28 21:36:09 site1 charon: 15[ENC] parsed INFORMATIONAL request 7 [ ] 
Nov 28 21:36:09 site1 charon: 15[ENC] generating INFORMATIONAL response 7 [ ] 
Nov 28 21:36:09 site1 charon: 15[NET] sending packet: from ip.add.res.s1[500] 
to ip.add.res.s3[500] (96 bytes) 
Nov 28 21:36:16 site1 charon: 04[NET] received packet: from ip.add.res.s3[500] 
to ip.add.res.s1[500] (224 bytes) 
Nov 28 21:36:16 site1 charon: 04[ENC] parsed CREATE_CHILD_SA request 8 [ SA No 
TSi TSr ] 
Nov 28 21:36:17 site1 charon: 04[IKE] CHILD_SA ciscotest{973} established with 
SPIs c54b639d_i ca4c6022_o and TS 10.2.0.0/16 === 10.10.10.0/24  
Nov 28 21:36:17 site1 charon: 04[IKE] CHILD_SA ciscotest{973} established with 
SPIs c54b639d_i ca4c6022_o and TS 10.2.0.0/16 === 10.10.10.0/24  
Nov 28 21:36:17 site1 vpn: client+ ip.add.res.s3 10.10.10.0/24 == ip.add.res.s3 
-- ip.add.res.s1 == 10.2.0.0/16
Nov 28 21:36:17 site1 vpn: tunnel+ ip.add.res.s3 -- ip.add.res.s1
Nov 28 21:36:17 site1 vpn: snat+ red0-ip.add.res.s1 : 10.10.10.0/24 - 10.2.0.1
Nov 28 21:36:17 site1 charon: 04[ENC] generating CREATE_CHILD_SA response 8 [ 
SA No TSi TSr ] 
Nov 28 21:36:17 site1 charon: 04[NET] sending packet: from ip.add.res.s1[500] 
to ip.add.res.s3[500] (224 bytes) 
Nov 28 21:36:18 site1 charon: 11[NET] received packet: from ip.add.res.s3[500] 
to ip.add.res.s1[500] (96 bytes) 
Nov 28 21:36:19 site1 charon: 11[ENC] parsed INFORMATIONAL request 9 [ ] 
Nov 28 21:36:19 site1 charon: 11[ENC] generating INFORMATIONAL response 9 [ ] 
Nov 28 21:36:19 site1 charon: 11[NET] sending packet: from ip.add.res.s1[500] 
to ip.add.res.s3[500] (96 bytes) 
Nov 28 21:36:28 site1 charon: 13[NET] received packet: from ip.add.res.s3[500] 
to ip.add.res.s1[500] (96 bytes) 
Nov 28 21:36:29 site1 charon: 13[ENC] parsed INFORMATIONAL request 10 [ ] 
Nov 28 21:36:29 site1 charon: 13[ENC] generating INFORMATIONAL response 10 [ ] 
Nov 28 21:36:29 site1 charon: 13[NET] sending packet: from ip.add.res.s1[500] 
to ip.add.res.s3[500] (96 bytes) 
Nov 28 21:36:38 site1 charon: 03[NET] received packet: from ip.add.res.s3[500] 
to ip.add.res.s1[500] (96 bytes) 
Nov 28 21:36:39 site1 charon: 03[ENC] parsed INFORMATIONAL request 11 [ ] 
Nov 28 21:36:39 site1 charon: 03[ENC] generating INFORMATIONAL response 11 [ ] 
Nov 28 21:36:39 site1 charon: 03[NET] sending packet: from ip.add.res.s1[500] 
to ip.add.res.s3[500] (96 bytes) 
Nov 28 21:36:48 site1 charon: 11[NET] received packet: from ip.add.res.s3[500] 
to ip.add.res.s1[500] (96 bytes) 
Nov 28 21:36:49 site1 charon: 11[ENC] parsed INFORMATIONAL request 12 [ ] 
Nov 28 21:36:49 site1 charon: 11[ENC] generating INFORMATIONAL response 12 [ ] 
Nov 28 21:36:49 site1 charon: 11[NET] sending packet: from ip.add.res.s1[500] 
to ip.add.res.s3[500] (96 bytes) 
Nov 28 21:36:58 site1 charon: 16[NET] received packet: from ip.add.res.s3[500] 
to ip.add.res.s1[500] (96 bytes) 
Nov 28 21:36:59 site1 charon: 16[ENC] parsed INFORMATIONAL request 13 [ ] 
Nov 28 21:36:59 site1 charon: 16[ENC] generating INFORMATIONAL response 13 [ ] 
Nov 28 21:37:00 site1 charon: 16[NET] sending packet: from ip.add.res.s1[500] 
to ip.add.res.s3[500] (96 bytes) 
Nov 28 21:37:09 site1 charon: 15[NET] received packet: from ip.add.res.s3[500] 
to ip.add.res.s1[500] (96 bytes) 
Nov 28 21:37:09 site1 charon: 15[ENC] parsed INFORMATIONAL request 14 [ ] 
Nov 28 21:37:09 site1 charon: 15[ENC] generating INFORMATIONAL response 14 [ ] 
Nov 28 21:37:09 site1 charon: 15[NET] sending packet: from ip.add.res.s1[500] 
to ip.add.res.s3[500] (96 bytes) 
Nov 28 21:37:17 site1 charon: 14[NET] received packet: from ip.add.res.s3[500] 
to ip.add.res.s1[500] (224 bytes) 
Nov 28 21:37:17 site1 charon: 14[ENC] parsed CREATE_CHILD_SA request 15 [ SA No 
TSi TSr ] 
Nov 28 21:37:17 site1 charon: 14[IKE] CHILD_SA ciscotest{974} established with 
SPIs c81b266c_i b563d7f6_o and TS 10.2.0.0/16 === 10.10.10.0/24  
Nov 28 21:37:17 site1 charon: 14[IKE] CHILD_SA ciscotest{974} established with 
SPIs c81b266c_i b563d7f6_o and TS 10.2.0.0/16 === 10.10.10.0/24  
Nov 28 21:37:17 site1 vpn: client+ ip.add.res.s3 10.10.10.0/24 == ip.add.res.s3 
-- ip.add.res.s1 == 10.2.0.0/16
Nov 28 21:37:17 site1 vpn: tunnel+ ip.add.res.s3 -- ip.add.res.s1
Nov 28 21:37:18 site1 vpn: snat+ red0-ip.add.res.s1 : 10.10.10.0/24 - 10.2.0.1



_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Site-to-Site with Cisco devices

Reply via email to