I figured out, one of certificate was not loaded. Fixed it and working now.
On Mon, Oct 9, 2017 at 10:36 AM, rajeev nohria <rajnoh...@gmail.com> wrote: > I am using swanctl, and having "no matching peer config found" issue. > > Please find logs and swanctl.conf in this email. > > Thanks, > Rajeev > > 9[NET] received packet: from fc00:cada:c402:607::1001[500] to > 2017::5002[500] (264 bytes) > 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(HASH_ALG) N(REDIR_SUP) ] > 09[CFG] looking for an ike config for 2017::5002...fc00:cada:c402: > 607::1001 > 09[CFG] ike config match: 3100 (2017::5002 fc00:cada:c402:607::1001 IKEv2) > 09[CFG] candidate: 2017::5002...fc00:cada:C402:607::1001, prio 3100 > 09[CFG] found matching ike config: 2017::5002...fc00:cada:C402:607::1001 > with prio 3100 > 09[IKE] fc00:cada:c402:607::1001 is initiating an IKE_SA > 09[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING > 09[CFG] selecting proposal: > 09[CFG] proposal matches > 09[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_ > 128/PRF_HMAC_SHA2_256/ECP_256 > 09[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_ > 128/PRF_HMAC_SHA2_256/ECP_256 > 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_ > 128/PRF_HMAC_SHA2_256/ECP_256 > 09[IKE] natd_chunk => 34 bytes @ 0x7f6d080009c0 > 09[IKE] 0: 4D 98 3C 1D 83 58 E9 77 00 00 00 00 00 00 00 00 > M.<..X.w........ > 09[IKE] 16: 20 17 00 00 00 00 00 00 00 00 00 00 00 00 50 02 > .............P. > 09[IKE] 32: 01 F4 .. > 09[IKE] natd_hash => 20 bytes @ 0x7f6d08005630 > 09[IKE] 0: F8 0F 32 75 38 53 84 20 35 D3 D5 81 06 50 5B B1 ..2u8S. > 5....P[. > 09[IKE] 16: 90 95 12 4B ...K > 09[IKE] natd_chunk => 34 bytes @ 0x7f6d080009c0 > 09[IKE] 0: 4D 98 3C 1D 83 58 E9 77 00 00 00 00 00 00 00 00 > M.<..X.w........ > 09[IKE] 16: FC 00 CA DA C4 02 06 07 00 00 00 00 00 00 10 01 > ................ > 09[IKE] 32: 01 F4 .. > 09[IKE] natd_hash => 20 bytes @ 0x7f6d080056a0 > 09[IKE] 0: 89 87 B4 7C 73 09 A9 F3 2A 92 E3 A9 C6 C6 64 35 > ...|s...*.....d5 > 09[IKE] 16: 95 BC 38 0F ..8. > 09[IKE] precalculated src_hash => 20 bytes @ 0x7f6d080056a0 > 09[IKE] 0: 89 87 B4 7C 73 09 A9 F3 2A 92 E3 A9 C6 C6 64 35 > ...|s...*.....d5 > 09[IKE] 16: 95 BC 38 0F ..8. > 09[IKE] precalculated dst_hash => 20 bytes @ 0x7f6d08005630 > 09[IKE] 0: F8 0F 32 75 38 53 84 20 35 D3 D5 81 06 50 5B B1 ..2u8S. > 5....P[. > 09[IKE] 16: 90 95 12 4B ...K > 09[IKE] received src_hash => 20 bytes @ 0x7f6d08000eb0 > 09[IKE] 0: 89 87 B4 7C 73 09 A9 F3 2A 92 E3 A9 C6 C6 64 35 > ...|s...*.....d5 > 09[IKE] 16: 95 BC 38 0F ..8. > 09[IKE] received dst_hash => 20 bytes @ 0x7f6d08000fd0 > 09[IKE] 0: F8 0F 32 75 38 53 84 20 35 D3 D5 81 06 50 5B B1 ..2u8S. > 5....P[. > 09[IKE] 16: 90 95 12 4B ...K > 09[IKE] shared Diffie Hellman secret => 32 bytes @ 0x7f6d08005600 > 09[IKE] 0: 07 A8 18 F1 5B 97 39 47 DB AE 62 F1 56 DA 12 56 > ....[.9G..b.V..V > 09[IKE] 16: 5F 5F F9 55 F4 68 94 50 AB 11 2D 5D E4 8C A8 9A > __.U.h.P..-].... > 09[IKE] SKEYSEED => 32 bytes @ 0x7f6d08003240 > 09[IKE] 0: C0 1A C8 49 7B ED 7C AD 07 02 B7 44 48 18 B3 B3 > ...I{.|....DH... > 09[IKE] 16: 7D 43 E0 E7 5D 58 40 B2 5D 7B 90 D5 90 BD D3 99 }C..]X@ > .]{...... > 09[IKE] Sk_d secret => 32 bytes @ 0x7f6d08005600 > 09[IKE] 0: BE 08 2D 04 64 4D BB CE FC 83 DD 05 C9 D9 F0 05 > ..-.dM.......... > 09[IKE] 16: 60 EF C4 53 88 C9 82 41 54 36 00 3A AC DD 40 A9 > `..S...AT6.:..@. > 09[IKE] Sk_ai secret => 32 bytes @ 0x7f6d08003240 > 09[IKE] 0: 03 03 2C 1E 63 60 16 08 B6 E3 3E BA 8C 80 AA 34 > ..,.c`....>....4 > 09[IKE] 16: A9 FA 0C 9A FF 0B A5 3C E8 2C 66 FE C6 A3 6D 85 > .......<.,f...m. > 09[IKE] Sk_ar secret => 32 bytes @ 0x7f6d08003240 > 09[IKE] 0: 58 50 F7 80 69 2E F1 BF C6 3E 27 B2 7F 51 11 D2 > XP..i....>'..Q.. > 09[IKE] 16: 79 FE 18 9B 6E C7 71 20 2B E6 EB 7F D5 A2 E3 3D y...n.q > +......= > 09[IKE] Sk_ei secret => 16 bytes @ 0x7f6d080017e0 > 09[IKE] 0: FC CB 72 54 A1 2B C4 31 BF 80 E6 E3 62 50 3F 34 > ..rT.+.1....bP?4 > 09[IKE] Sk_er secret => 16 bytes @ 0x7f6d080017e0 > 09[IKE] 0: F4 18 F2 91 64 3D 72 97 5C 71 06 7F A8 82 C6 41 > ....d=r.\q.....A > 09[IKE] Sk_pi secret => 32 bytes @ 0x7f6d08003ea0 > 09[IKE] 0: 9A 72 FC 50 C5 8E 55 FF EC 59 F3 AB A9 1B 71 58 > .r.P..U..Y....qX > 09[IKE] 16: 27 76 46 AB EE 5B 64 36 9F 9A 09 52 81 82 D3 A9 > 'vF..[d6...R.... > 09[IKE] Sk_pr secret => 32 bytes @ 0x7f6d08003f70 > 09[IKE] 0: 3F A5 34 D7 4A B5 2E DB D4 F3 18 57 52 97 A8 EC > ?.4.J......WR... > 09[IKE] 16: 9D 87 5A 66 AE AF 18 F0 17 75 C7 67 4C 0F 39 4D > ..Zf.....u.gL.9M > 09[IKE] natd_chunk => 34 bytes @ 0x7f6d08005730 > 09[IKE] 0: 4D 98 3C 1D 83 58 E9 77 54 E5 64 60 22 20 BF A2 > M.<..X.wT.d`" .. > 09[IKE] 16: 20 17 00 00 00 00 00 00 00 00 00 00 00 00 50 02 > .............P. > 09[IKE] 32: 01 F4 .. > 09[IKE] natd_hash => 20 bytes @ 0x7f6d08005510 > 09[IKE] 0: 05 CB 8A 0D 44 85 26 3F 29 89 80 B8 35 8E ED DE > ....D.&?)...5... > 09[IKE] 16: D4 48 4E F0 .HN. > 09[IKE] natd_chunk => 34 bytes @ 0x7f6d08005730 > 09[IKE] 0: 4D 98 3C 1D 83 58 E9 77 54 E5 64 60 22 20 BF A2 > M.<..X.wT.d`" .. > 09[IKE] 16: FC 00 CA DA C4 02 06 07 00 00 00 00 00 00 10 01 > ................ > 09[IKE] 32: 01 F4 .. > 09[IKE] natd_hash => 20 bytes @ 0x7f6d08001960 > 09[IKE] 0: 42 0F 2B 31 CF D7 4F 9E 5C 13 63 B3 BA 38 37 6B > B.+1..O.\.c..87k > 09[IKE] 16: AD 69 13 A6 .i.. > 09[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01, > CN=TEST CableLabs Device Certification Authority" > 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ] > 09[NET] sending packet: from 2017::5002[500] to > fc00:cada:c402:607::1001[500] (289 bytes) > 08[NET] received packet: from fc00:cada:c402:607::1001[4500] to > 2017::5002[4500] (1680 bytes) > 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(USE_TRANSP) SA > TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] > 08[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01, > CN=TEST CableLabs Device Certification Authority" > 08[IKE] received cert request for unknown ca with keyid > bd:0e:4c:0f:21:cf:f0:49:af:19:34:3b:c2:64:c5:31:a1:2e:11:07 > 08[IKE] received 1 cert requests for an unknown ca > 08[ASN] L0 - x509: > 08[ASN] => 1016 bytes @ 0x7f6d14003df0 > 08[ASN] 0: 30 82 03 F4 30 82 02 5C A0 03 02 01 02 02 09 00 > 0...0..\........ > 08[ASN] 16: DD DC 09 21 36 F2 E8 71 30 0D 06 09 2A 86 48 86 > ...!6..q0...*.H. > 08[ASN] 32: F7 0D 01 01 0B 05 00 30 74 31 0B 30 09 06 03 55 > .......0t1.0...U > 08[ASN] 48: 04 06 13 02 55 53 31 12 30 10 06 03 55 04 0A 13 > ....US1.0...U... > 08[ASN] 64: 09 43 61 62 6C 65 4C 61 62 73 31 19 30 17 06 03 > .CableLabs1.0... > 08[ASN] 80: 55 04 0B 13 10 54 45 53 54 20 44 65 76 69 63 65 U....TEST > Device > 08[ASN] 96: 20 43 41 30 31 31 36 30 34 06 03 55 04 03 13 2D > CA011604..U...- > 08[ASN] 112: 54 45 53 54 20 43 61 62 6C 65 4C 61 62 73 20 44 TEST > CableLabs D > 08[ASN] 128: 65 76 69 63 65 20 43 65 72 74 69 66 69 63 61 74 evice > Certificat > 08[ASN] 144: 69 6F 6E 20 41 75 74 68 6F 72 69 74 79 30 1E 17 ion > Authority0.. > 08[ASN] 160: 0D 31 37 30 39 32 38 31 38 31 38 35 33 5A 17 0D > .170928181853Z.. > 08[ASN] 176: 33 37 30 39 32 38 31 38 31 38 35 33 5A 30 4A 31 > 370928181853Z0J1 > 08[ASN] 192: 0B 30 09 06 03 55 04 06 13 02 55 53 31 0E 30 0C > .0...U....US1.0. > 08[ASN] 208: 06 03 55 04 0A 13 05 41 52 52 49 53 31 0F 30 0D > ..U....ARRIS1.0. > 08[ASN] 224: 06 03 55 04 0B 13 06 4C 4F 57 45 4C 4C 31 1A 30 > ..U....LOWELL1.0 > 08[ASN] 240: 18 06 03 55 04 03 13 11 30 30 3A 33 33 3A 35 66 > ...U....00:33:5f > 08[ASN] 256: 3A 61 62 3A 38 63 3A 39 65 30 82 01 22 30 0D 06 > :ab:8c:9e0.."0.. > 08[ASN] 272: 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F > .*.H............ > 08[ASN] 288: 00 30 82 01 0A 02 82 01 01 00 CB 3F 60 9D 64 D1 > .0.........?`.d. > 08[ASN] 304: 4F 8F 83 F5 D5 FB 66 99 2E 6D 5D 63 9A 1F B0 A7 > O.....f..m]c.... > 08[ASN] 320: 64 BD 8F F5 BD 5B 0F 29 A0 FB 56 C8 BA FB E2 14 > d....[.)..V..... > 08[ASN] 336: C0 71 42 B8 67 EA B1 49 A4 34 8C FC B8 65 44 17 > .qB.g..I.4...eD. > 08[ASN] 352: E4 B3 E1 53 C5 C4 FD 5F 0D 18 A8 74 5A 8B C7 21 > ...S..._...tZ..! > 08[ASN] 368: 90 2F C7 98 17 CD 84 B4 B7 57 1B 72 11 4C F0 02 > ./.......W.r.L.. > 08[ASN] 384: 59 4C E0 4B 4C 6B 92 D0 90 2E C7 9B 9E E9 6A 3F > YL.KLk........j? > 08[ASN] 400: A5 D3 A7 47 DC 08 52 E6 C1 6C 66 A4 BC C2 7C A6 > ...G..R..lf...|. > 08[ASN] 416: 08 D8 89 2A 7E 68 E1 10 F5 CC DA 7D 4B E1 38 08 > ...*~h.....}K.8. > 08[ASN] 432: 11 9C B6 AC 63 1F 5C B0 59 3D C4 99 82 11 3D 04 > ....c.\.Y=....=. > 08[ASN] 448: 65 07 56 C8 A0 1B 87 CF 02 ED 24 BC 94 05 C2 E0 > e.V.......$..... > 08[ASN] 464: 7A 5E CB DA E4 89 30 31 BB A6 EF 0C BF 90 B1 06 > z^....01........ > 08[ASN] 480: CE 0C C4 62 41 77 73 96 EA 3A F7 D6 6C 0B 8C 45 > ...bAws..:..l..E > 08[ASN] 496: EB EF C0 51 F6 D4 14 60 10 18 0E D3 82 CB 5A D4 > ...Q...`......Z. > 08[ASN] 512: 0C FB 81 70 DA 15 F2 5D D7 FF E9 54 AE 66 92 2C > ...p...]...T.f., > 08[ASN] 528: 18 A4 0E 05 39 F0 C4 FF 31 81 33 9D 90 18 7A 0B > ....9...1.3...z. > 08[ASN] 544: DB F2 2C CD F2 33 22 BF 20 83 02 03 01 00 01 A3 ..,..3". > ....... > 08[ASN] 560: 33 30 31 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 > 3010...U........ > 08[ASN] 576: 02 05 A0 30 1F 06 03 55 1D 23 04 18 30 16 80 14 > ...0...U.#..0... > 08[ASN] 592: F6 DC 40 8A 89 B6 7B 7A 08 F6 78 B5 4A 28 7A 7F > ..@...{z..x.J(z. > 08[ASN] 608: 57 9B F9 9B 30 0D 06 09 2A 86 48 86 F7 0D 01 01 > W...0...*.H..... > 08[ASN] 624: 0B 05 00 03 82 01 81 00 54 17 44 39 3D 12 4C E8 > ........T.D9=.L. > 08[ASN] 640: AB 84 9F D3 0E 6C CA 73 18 6B CD D0 B7 E7 6C E5 > .....l.s.k....l. > 08[ASN] 656: B2 C0 40 77 62 1A 42 45 60 81 9E 9F D4 0C 6F FE > ..@wb.BE`.....o. > 08[ASN] 672: 20 75 31 CF AF 55 29 13 3B E3 62 F4 70 B2 25 55 > u1..U).;.b.p.%U > 08[ASN] 688: 11 41 F2 1C D9 8D 50 ED 13 DF 76 62 B7 DE A3 15 > .A....P...vb.... > 08[ASN] 704: 55 BD 6C EC 0F 7A 96 33 CA 29 CC A1 C7 30 AE 19 > U.l..z.3.)...0.. > 08[ASN] 720: 34 42 C8 28 24 50 51 E0 A3 4A 6A 52 C9 F1 27 C3 > 4B.($PQ..JjR..'. > 08[ASN] 736: A5 C0 7C 0D 61 8B E7 A0 94 25 D6 53 BB 01 DB EB > ..|.a....%.S.... > 08[ASN] 752: 42 BF 24 96 54 BD D8 A8 44 43 47 DE E6 0C 7C C6 > B.$.T...DCG...|. > 08[ASN] 768: DE 62 F5 3D 52 20 A6 F9 EB 93 65 4E 4C AD 29 37 .b.=R > ....eNL.)7 > 08[ASN] 784: 96 B7 FD 6B 0F D6 49 5D 4D C3 E4 D5 7C DC C9 DB > ...k..I]M...|... > 08[ASN] 800: 7E 86 2A 72 76 06 AA BF 13 5D 3E B1 73 D5 AE CB > ~.*rv....]>.s... > 08[ASN] 816: 46 3F E4 F1 B7 25 BF DA 87 E9 AE E7 10 45 9B 7E > F?...%.......E.~ > 08[ASN] 832: F3 3C 2A 5F 81 D4 0B A7 22 D6 A6 4C 49 1F 2B 78 > .<*_...."..LI.+x > 08[ASN] 848: EA BF DF 2E 74 B8 70 BD 89 74 C2 65 03 7F 60 E3 > ....t.p..t.e..`. > 08[ASN] 864: 1D 0F 3E 23 AB 2F 7B 32 09 68 DD DE 9D D6 FC 9F > ..>#./{2.h...... > 08[ASN] 880: 58 7A 5C 36 FF 01 25 9E 66 A6 F4 F5 F6 A0 04 5A > Xz\6..%.f......Z > 08[ASN] 896: DA F4 A1 CB 88 BE A4 67 41 95 17 F2 9E 10 50 60 > .......gA.....P` > 08[ASN] 912: 32 B3 A1 7E A3 DB E2 C3 0D 5E 65 03 E7 06 1A B7 > 2..~.....^e..... > 08[ASN] 928: 55 82 73 D8 98 5C A5 32 A3 36 2C C8 2E 61 CA 61 > U.s..\.2.6,..a.a > 08[ASN] 944: 79 48 87 C4 10 43 2F 43 AE 99 AF E1 81 80 AE 23 > yH...C/C.......# > 08[ASN] 960: 60 3F A8 E4 1E BD 22 51 86 99 34 4E 97 99 7D 40 > `?...."Q..4N..}@ > 08[ASN] 976: 8B 4B 91 48 F2 8B 8A A1 BF 34 56 DA 0A 32 67 8D > .K.H.....4V..2g. > 08[ASN] 992: B3 28 AB D7 24 7C 78 AA 0A 56 91 E0 67 E3 11 9B > .(..$|x..V..g... > 08[ASN] 1008: 30 71 0C 78 59 D2 26 30 0q.xY.&0 > 08[ASN] L1 - tbsCertificate: > 08[ASN] => 608 bytes @ 0x7f6d14003df4 > 08[ASN] 0: 30 82 02 5C A0 03 02 01 02 02 09 00 DD DC 09 21 > 0..\...........! > 08[ASN] 16: 36 F2 E8 71 30 0D 06 09 2A 86 48 86 F7 0D 01 01 > 6..q0...*.H..... > 08[ASN] 32: 0B 05 00 30 74 31 0B 30 09 06 03 55 04 06 13 02 > ...0t1.0...U.... > 08[ASN] 48: 55 53 31 12 30 10 06 03 55 04 0A 13 09 43 61 62 > US1.0...U....Cab > 08[ASN] 64: 6C 65 4C 61 62 73 31 19 30 17 06 03 55 04 0B 13 > leLabs1.0...U... > 08[ASN] 80: 10 54 45 53 54 20 44 65 76 69 63 65 20 43 41 30 .TEST > Device CA0 > 08[ASN] 96: 31 31 36 30 34 06 03 55 04 03 13 2D 54 45 53 54 > 11604..U...-TEST > 08[ASN] 112: 20 43 61 62 6C 65 4C 61 62 73 20 44 65 76 69 63 CableLabs > Devic > 08[ASN] 128: 65 20 43 65 72 74 69 66 69 63 61 74 69 6F 6E 20 e > Certification > 08[ASN] 144: 41 75 74 68 6F 72 69 74 79 30 1E 17 0D 31 37 30 > Authority0...170 > 08[ASN] 160: 39 32 38 31 38 31 38 35 33 5A 17 0D 33 37 30 39 > 928181853Z..3709 > 08[ASN] 176: 32 38 31 38 31 38 35 33 5A 30 4A 31 0B 30 09 06 > 28181853Z0J1.0.. > 08[ASN] 192: 03 55 04 06 13 02 55 53 31 0E 30 0C 06 03 55 04 > .U....US1.0...U. > 08[ASN] 208: 0A 13 05 41 52 52 49 53 31 0F 30 0D 06 03 55 04 > ...ARRIS1.0...U. > 08[ASN] 224: 0B 13 06 4C 4F 57 45 4C 4C 31 1A 30 18 06 03 55 > ...LOWELL1.0...U > 08[ASN] 240: 04 03 13 11 30 30 3A 33 33 3A 35 66 3A 61 62 3A > ....00:33:5f:ab: > 08[ASN] 256: 38 63 3A 39 65 30 82 01 22 30 0D 06 09 2A 86 48 > 8c:9e0.."0...*.H > 08[ASN] 272: 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 > .............0.. > 08[ASN] 288: 0A 02 82 01 01 00 CB 3F 60 9D 64 D1 4F 8F 83 F5 > .......?`.d.O... > 08[ASN] 304: D5 FB 66 99 2E 6D 5D 63 9A 1F B0 A7 64 BD 8F F5 > ..f..m]c....d... > 08[ASN] 320: BD 5B 0F 29 A0 FB 56 C8 BA FB E2 14 C0 71 42 B8 > .[.)..V......qB. > 08[ASN] 336: 67 EA B1 49 A4 34 8C FC B8 65 44 17 E4 B3 E1 53 > g..I.4...eD....S > 08[ASN] 352: C5 C4 FD 5F 0D 18 A8 74 5A 8B C7 21 90 2F C7 98 > ..._...tZ..!./.. > 08[ASN] 368: 17 CD 84 B4 B7 57 1B 72 11 4C F0 02 59 4C E0 4B > .....W.r.L..YL.K > 08[ASN] 384: 4C 6B 92 D0 90 2E C7 9B 9E E9 6A 3F A5 D3 A7 47 > Lk........j?...G > 08[ASN] 400: DC 08 52 E6 C1 6C 66 A4 BC C2 7C A6 08 D8 89 2A > ..R..lf...|....* > 08[ASN] 416: 7E 68 E1 10 F5 CC DA 7D 4B E1 38 08 11 9C B6 AC > ~h.....}K.8..... > 08[ASN] 432: 63 1F 5C B0 59 3D C4 99 82 11 3D 04 65 07 56 C8 > c.\.Y=....=.e.V. > 08[ASN] 448: A0 1B 87 CF 02 ED 24 BC 94 05 C2 E0 7A 5E CB DA > ......$.....z^.. > 08[ASN] 464: E4 89 30 31 BB A6 EF 0C BF 90 B1 06 CE 0C C4 62 > ..01...........b > 08[ASN] 480: 41 77 73 96 EA 3A F7 D6 6C 0B 8C 45 EB EF C0 51 > Aws..:..l..E...Q > 08[ASN] 496: F6 D4 14 60 10 18 0E D3 82 CB 5A D4 0C FB 81 70 > ...`......Z....p > 08[ASN] 512: DA 15 F2 5D D7 FF E9 54 AE 66 92 2C 18 A4 0E 05 > ...]...T.f.,.... > 08[ASN] 528: 39 F0 C4 FF 31 81 33 9D 90 18 7A 0B DB F2 2C CD > 9...1.3...z...,. > 08[ASN] 544: F2 33 22 BF 20 83 02 03 01 00 01 A3 33 30 31 30 .3". > .......3010 > 08[ASN] 560: 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 05 A0 30 > ...U...........0 > 08[ASN] 576: 1F 06 03 55 1D 23 04 18 30 16 80 14 F6 DC 40 8A > ...U.#..0.....@. > 08[ASN] 592: 89 B6 7B 7A 08 F6 78 B5 4A 28 7A 7F 57 9B F9 9B > ..{z..x.J(z.W... > 08[ASN] L2 - DEFAULT v1: > 08[ASN] L3 - version: > 08[ASN] => 1 bytes @ 0x7f6d14003dfc > 08[ASN] 0: 02 . > 08[ASN] X.509v3 > 08[ASN] L2 - serialNumber: > 08[ASN] => 9 bytes @ 0x7f6d14003dff > 08[ASN] 0: 00 DD DC 09 21 36 F2 E8 71 ....!6..q > 08[ASN] L2 - signature: > 08[ASN] L3 - algorithmIdentifier: > 08[ASN] L4 - algorithm: > 08[ASN] 'sha256WithRSAEncryption' > 08[ASN] L2 - issuer: > 08[ASN] => 118 bytes @ 0x7f6d14003e17 > 08[ASN] 0: 30 74 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 > 0t1.0...U....US1 > 08[ASN] 16: 12 30 10 06 03 55 04 0A 13 09 43 61 62 6C 65 4C > .0...U....CableL > 08[ASN] 32: 61 62 73 31 19 30 17 06 03 55 04 0B 13 10 54 45 > abs1.0...U....TE > 08[ASN] 48: 53 54 20 44 65 76 69 63 65 20 43 41 30 31 31 36 ST Device > CA0116 > 08[ASN] 64: 30 34 06 03 55 04 03 13 2D 54 45 53 54 20 43 61 > 04..U...-TEST Ca > 08[ASN] 80: 62 6C 65 4C 61 62 73 20 44 65 76 69 63 65 20 43 bleLabs > Device C > 08[ASN] 96: 65 72 74 69 66 69 63 61 74 69 6F 6E 20 41 75 74 > ertification Aut > 08[ASN] 112: 68 6F 72 69 74 79 hority > 08[ASN] 'C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs > Device Certification Authority' > 08[ASN] L2 - validity: > 08[ASN] L3 - notBefore: > 08[ASN] L4 - utcTime: > 08[ASN] 'Sep 28 18:18:53 UTC 2017' > 08[ASN] L3 - notAfter: > 08[ASN] L4 - utcTime: > 08[ASN] 'Sep 28 18:18:53 UTC 2037' > 08[ASN] L2 - subject: > 08[ASN] => 76 bytes @ 0x7f6d14003ead > 08[ASN] 0: 30 4A 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 > 0J1.0...U....US1 > 08[ASN] 16: 0E 30 0C 06 03 55 04 0A 13 05 41 52 52 49 53 31 > .0...U....ARRIS1 > 08[ASN] 32: 0F 30 0D 06 03 55 04 0B 13 06 4C 4F 57 45 4C 4C > .0...U....LOWELL > 08[ASN] 48: 31 1A 30 18 06 03 55 04 03 13 11 30 30 3A 33 33 > 1.0...U....00:33 > 08[ASN] 64: 3A 35 66 3A 61 62 3A 38 63 3A 39 65 :5f:ab:8c:9e > 08[ASN] 'C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e' > 08[ASN] L2 - subjectPublicKeyInfo: > 08[ASN] -- > -- > 08[ASN] L0 - subjectPublicKeyInfo: > 08[ASN] L1 - algorithm: > 08[ASN] L2 - algorithmIdentifier: > 08[ASN] L3 - algorithm: > 08[ASN] 'rsaEncryption' > 08[ASN] L1 - subjectPublicKey: > 08[ASN] => 271 bytes @ 0x7f6d14003f10 > 08[ASN] 0: 00 30 82 01 0A 02 82 01 01 00 CB 3F 60 9D 64 D1 > .0.........?`.d. > 08[ASN] 16: 4F 8F 83 F5 D5 FB 66 99 2E 6D 5D 63 9A 1F B0 A7 > O.....f..m]c.... > 08[ASN] 32: 64 BD 8F F5 BD 5B 0F 29 A0 FB 56 C8 BA FB E2 14 > d....[.)..V..... > 08[ASN] 48: C0 71 42 B8 67 EA B1 49 A4 34 8C FC B8 65 44 17 > .qB.g..I.4...eD. > 08[ASN] 64: E4 B3 E1 53 C5 C4 FD 5F 0D 18 A8 74 5A 8B C7 21 > ...S..._...tZ..! > 08[ASN] 80: 90 2F C7 98 17 CD 84 B4 B7 57 1B 72 11 4C F0 02 > ./.......W.r.L.. > 08[ASN] 96: 59 4C E0 4B 4C 6B 92 D0 90 2E C7 9B 9E E9 6A 3F > YL.KLk........j? > 08[ASN] 112: A5 D3 A7 47 DC 08 52 E6 C1 6C 66 A4 BC C2 7C A6 > ...G..R..lf...|. > 08[ASN] 128: 08 D8 89 2A 7E 68 E1 10 F5 CC DA 7D 4B E1 38 08 > ...*~h.....}K.8. > 08[ASN] 144: 11 9C B6 AC 63 1F 5C B0 59 3D C4 99 82 11 3D 04 > ....c.\.Y=....=. > 08[ASN] 160: 65 07 56 C8 A0 1B 87 CF 02 ED 24 BC 94 05 C2 E0 > e.V.......$..... > 08[ASN] 176: 7A 5E CB DA E4 89 30 31 BB A6 EF 0C BF 90 B1 06 > z^....01........ > 08[ASN] 192: CE 0C C4 62 41 77 73 96 EA 3A F7 D6 6C 0B 8C 45 > ...bAws..:..l..E > 08[ASN] 208: EB EF C0 51 F6 D4 14 60 10 18 0E D3 82 CB 5A D4 > ...Q...`......Z. > 08[ASN] 224: 0C FB 81 70 DA 15 F2 5D D7 FF E9 54 AE 66 92 2C > ...p...]...T.f., > 08[ASN] 240: 18 A4 0E 05 39 F0 C4 FF 31 81 33 9D 90 18 7A 0B > ....9...1.3...z. > 08[ASN] 256: DB F2 2C CD F2 33 22 BF 20 83 02 03 01 00 01 ..,..3". > ...... > 08[ASN] -- > -- > 08[ASN] L0 - RSAPublicKey: > 08[ASN] => 270 bytes @ 0x7f6d14003f11 > 08[ASN] 0: 30 82 01 0A 02 82 01 01 00 CB 3F 60 9D 64 D1 4F > 0.........?`.d.O > 08[ASN] 16: 8F 83 F5 D5 FB 66 99 2E 6D 5D 63 9A 1F B0 A7 64 > .....f..m]c....d > 08[ASN] 32: BD 8F F5 BD 5B 0F 29 A0 FB 56 C8 BA FB E2 14 C0 > ....[.)..V...... > 08[ASN] 48: 71 42 B8 67 EA B1 49 A4 34 8C FC B8 65 44 17 E4 > qB.g..I.4...eD.. > 08[ASN] 64: B3 E1 53 C5 C4 FD 5F 0D 18 A8 74 5A 8B C7 21 90 > ..S..._...tZ..!. > 08[ASN] 80: 2F C7 98 17 CD 84 B4 B7 57 1B 72 11 4C F0 02 59 > /.......W.r.L..Y > 08[ASN] 96: 4C E0 4B 4C 6B 92 D0 90 2E C7 9B 9E E9 6A 3F A5 > L.KLk........j?. > 08[ASN] 112: D3 A7 47 DC 08 52 E6 C1 6C 66 A4 BC C2 7C A6 08 > ..G..R..lf...|.. > 08[ASN] 128: D8 89 2A 7E 68 E1 10 F5 CC DA 7D 4B E1 38 08 11 > ..*~h.....}K.8.. > 08[ASN] 144: 9C B6 AC 63 1F 5C B0 59 3D C4 99 82 11 3D 04 65 > ...c.\.Y=....=.e > 08[ASN] 160: 07 56 C8 A0 1B 87 CF 02 ED 24 BC 94 05 C2 E0 7A > .V.......$.....z > 08[ASN] 176: 5E CB DA E4 89 30 31 BB A6 EF 0C BF 90 B1 06 CE > ^....01......... > 08[ASN] 192: 0C C4 62 41 77 73 96 EA 3A F7 D6 6C 0B 8C 45 EB > ..bAws..:..l..E. > 08[ASN] 208: EF C0 51 F6 D4 14 60 10 18 0E D3 82 CB 5A D4 0C > ..Q...`......Z.. > 08[ASN] 224: FB 81 70 DA 15 F2 5D D7 FF E9 54 AE 66 92 2C 18 > ..p...]...T.f.,. > 08[ASN] 240: A4 0E 05 39 F0 C4 FF 31 81 33 9D 90 18 7A 0B DB > ...9...1.3...z.. > 08[ASN] 256: F2 2C CD F2 33 22 BF 20 83 02 03 01 00 01 .,..3". > ...... > 08[ASN] L1 - modulus: > 08[ASN] => 257 bytes @ 0x7f6d14003f19 > 08[ASN] 0: 00 CB 3F 60 9D 64 D1 4F 8F 83 F5 D5 FB 66 99 2E > ..?`.d.O.....f.. > 08[ASN] 16: 6D 5D 63 9A 1F B0 A7 64 BD 8F F5 BD 5B 0F 29 A0 > m]c....d....[.). > 08[ASN] 32: FB 56 C8 BA FB E2 14 C0 71 42 B8 67 EA B1 49 A4 > .V......qB.g..I. > 08[ASN] 48: 34 8C FC B8 65 44 17 E4 B3 E1 53 C5 C4 FD 5F 0D > 4...eD....S..._. > 08[ASN] 64: 18 A8 74 5A 8B C7 21 90 2F C7 98 17 CD 84 B4 B7 > ..tZ..!./....... > 08[ASN] 80: 57 1B 72 11 4C F0 02 59 4C E0 4B 4C 6B 92 D0 90 > W.r.L..YL.KLk... > 08[ASN] 96: 2E C7 9B 9E E9 6A 3F A5 D3 A7 47 DC 08 52 E6 C1 > .....j?...G..R.. > 08[ASN] 112: 6C 66 A4 BC C2 7C A6 08 D8 89 2A 7E 68 E1 10 F5 > lf...|....*~h... > 08[ASN] 128: CC DA 7D 4B E1 38 08 11 9C B6 AC 63 1F 5C B0 59 > ..}K.8.....c.\.Y > 08[ASN] 144: 3D C4 99 82 11 3D 04 65 07 56 C8 A0 1B 87 CF 02 > =....=.e.V...... > 08[ASN] 160: ED 24 BC 94 05 C2 E0 7A 5E CB DA E4 89 30 31 BB > .$.....z^....01. > 08[ASN] 176: A6 EF 0C BF 90 B1 06 CE 0C C4 62 41 77 73 96 EA > ..........bAws.. > 08[ASN] 192: 3A F7 D6 6C 0B 8C 45 EB EF C0 51 F6 D4 14 60 10 > :..l..E...Q...`. > 08[ASN] 208: 18 0E D3 82 CB 5A D4 0C FB 81 70 DA 15 F2 5D D7 > .....Z....p...]. > 08[ASN] 224: FF E9 54 AE 66 92 2C 18 A4 0E 05 39 F0 C4 FF 31 > ..T.f.,....9...1 > 08[ASN] 240: 81 33 9D 90 18 7A 0B DB F2 2C CD F2 33 22 BF 20 > .3...z...,..3". > 08[ASN] 256: 83 . > 08[ASN] L1 - publicExponent: > 08[ASN] => 3 bytes @ 0x7f6d1400401c > 08[ASN] 0: 01 00 01 ... > 08[ASN] -- < -- > 08[ASN] -- < -- > 08[ASN] L2 - optional extensions: > 08[ASN] L3 - extensions: > 08[ASN] L4 - extension: > 08[ASN] L5 - extnID: > 08[ASN] 'keyUsage' > 08[ASN] L5 - critical: > 08[ASN] => 1 bytes @ 0x7f6d1400402c > 08[ASN] 0: FF . > 08[ASN] TRUE > 08[ASN] L5 - extnValue: > 08[ASN] => 4 bytes @ 0x7f6d1400402f > 08[ASN] 0: 03 02 05 A0 .... > 08[ASN] L4 - extension: > 08[ASN] L5 - extnID: > 08[ASN] 'authorityKeyIdentifier' > 08[ASN] L5 - critical: > 08[ASN] FALSE > 08[ASN] L5 - extnValue: > 08[ASN] => 24 bytes @ 0x7f6d1400403c > 08[ASN] 0: 30 16 80 14 F6 DC 40 8A 89 B6 7B 7A 08 F6 78 B5 0.....@ > ...{z..x. > 08[ASN] 16: 4A 28 7A 7F 57 9B F9 9B J(z.W... > 08[ASN] L6 - authorityKeyIdentifier: > 08[ASN] L7 - keyIdentifier: > 08[ASN] => 20 bytes @ 0x7f6d14004040 > 08[ASN] 0: F6 DC 40 8A 89 B6 7B 7A 08 F6 78 B5 4A 28 7A 7F > ..@...{z..x.J(z. > 08[ASN] 16: 57 9B F9 9B W... > 08[ASN] L1 - signatureAlgorithm: > 08[ASN] L2 - algorithmIdentifier: > 08[ASN] L3 - algorithm: > 08[ASN] 'sha256WithRSAEncryption' > 08[ASN] L1 - signatureValue: > 08[ASN] => 385 bytes @ 0x7f6d14004067 > 08[ASN] 0: 00 54 17 44 39 3D 12 4C E8 AB 84 9F D3 0E 6C CA > .T.D9=.L......l. > 08[ASN] 16: 73 18 6B CD D0 B7 E7 6C E5 B2 C0 40 77 62 1A 42 > s.k....l...@wb.B > 08[ASN] 32: 45 60 81 9E 9F D4 0C 6F FE 20 75 31 CF AF 55 29 E`.....o. > u1..U) > 08[ASN] 48: 13 3B E3 62 F4 70 B2 25 55 11 41 F2 1C D9 8D 50 > .;.b.p.%U.A....P > 08[ASN] 64: ED 13 DF 76 62 B7 DE A3 15 55 BD 6C EC 0F 7A 96 > ...vb....U.l..z. > 08[ASN] 80: 33 CA 29 CC A1 C7 30 AE 19 34 42 C8 28 24 50 51 > 3.)...0..4B.($PQ > 08[ASN] 96: E0 A3 4A 6A 52 C9 F1 27 C3 A5 C0 7C 0D 61 8B E7 > ..JjR..'...|.a.. > 08[ASN] 112: A0 94 25 D6 53 BB 01 DB EB 42 BF 24 96 54 BD D8 > ..%.S....B.$.T.. > 08[ASN] 128: A8 44 43 47 DE E6 0C 7C C6 DE 62 F5 3D 52 20 A6 > .DCG...|..b.=R . > 08[ASN] 144: F9 EB 93 65 4E 4C AD 29 37 96 B7 FD 6B 0F D6 49 > ...eNL.)7...k..I > 08[ASN] 160: 5D 4D C3 E4 D5 7C DC C9 DB 7E 86 2A 72 76 06 AA > ]M...|...~.*rv.. > 08[ASN] 176: BF 13 5D 3E B1 73 D5 AE CB 46 3F E4 F1 B7 25 BF > ..]>.s...F?...%. > 08[ASN] 192: DA 87 E9 AE E7 10 45 9B 7E F3 3C 2A 5F 81 D4 0B > ......E.~.<*_... > 08[ASN] 208: A7 22 D6 A6 4C 49 1F 2B 78 EA BF DF 2E 74 B8 70 > ."..LI.+x....t.p > 08[ASN] 224: BD 89 74 C2 65 03 7F 60 E3 1D 0F 3E 23 AB 2F 7B > ..t.e..`...>#./{ > 08[ASN] 240: 32 09 68 DD DE 9D D6 FC 9F 58 7A 5C 36 FF 01 25 > 2.h......Xz\6..% > 08[ASN] 256: 9E 66 A6 F4 F5 F6 A0 04 5A DA F4 A1 CB 88 BE A4 > .f......Z....... > 08[ASN] 272: 67 41 95 17 F2 9E 10 50 60 32 B3 A1 7E A3 DB E2 > gA.....P`2..~... > 08[ASN] 288: C3 0D 5E 65 03 E7 06 1A B7 55 82 73 D8 98 5C A5 > ..^e.....U.s..\. > 08[ASN] 304: 32 A3 36 2C C8 2E 61 CA 61 79 48 87 C4 10 43 2F > 2.6,..a.ayH...C/ > 08[ASN] 320: 43 AE 99 AF E1 81 80 AE 23 60 3F A8 E4 1E BD 22 > C.......#`?...." > 08[ASN] 336: 51 86 99 34 4E 97 99 7D 40 8B 4B 91 48 F2 8B 8A Q..4N..}@ > .K.H... > 08[ASN] 352: A1 BF 34 56 DA 0A 32 67 8D B3 28 AB D7 24 7C 78 > ..4V..2g..(..$|x > 08[ASN] 368: AA 0A 56 91 E0 67 E3 11 9B 30 71 0C 78 59 D2 26 > ..V..g...0q.xY.& > 08[ASN] 384: 30 0 > 08[IKE] received end entity cert "C=US, O=ARRIS, OU=LOWELL, > CN=00:33:5f:ab:8c:9e" > 08[CFG] looking for peer configs matching > 2017::5002[%any]...fc00:cada:c402:607::1001[C=US, > O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e] > 08[CFG] peer config match local: 1 (ID_ANY -> ) > 08[CFG] peer config match remote: 0 (ID_DER_ASN1_DN -> > 30:4a:31:0b:30:09:06:03:55:04:06:13:02:55:53:31:0e:30:0c:06: > 03:55:04:0a:13:05:41:52:52:49:53:31:0f:30:0d:06:03:55:04:0b: > 13:06:4c:4f:57:45:4c:4c:31:1a:30:18:06:03:55:04:03:13:11:30: > 30:3a:33:33:3a:35:66:3a:61:62:3a:38:63:3a:39:65) > 08[CFG] ike config match: 3100 (2017::5002 fc00:cada:c402:607::1001 IKEv2) > 08[CFG] no matching peer config found > 08[IKE] peer supports MOBIKE > 08[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] > 08[NET] sending packet: from 2017::5002[4500] to > fc00:cada:c402:607::1001[4500] (80 bytes) > 08[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING > > > > > > > swanctl.conf > > > # Section defining IKE connection configurations. > connections { > > # Section for an IKE connection named <conn>. > rw{ > > # IKE major version to use for connection. > version = 2 > > # Local address(es) to use for IKE communication, comma separated. > local_addrs = 2017::5002 > #local_addrs = 10.13.199.130 > #local_addrs = 10.185.44.187 > > # Remote address(es) to use for IKE communication, comma separated. > remote_addrs = fc00:cada:C402:607::1001 > #remote_addrs = 10.13.199.174 > #remote_addrs = 10.14.37.97 > > > # Local UDP port for IKE communication. > # local_port = 500 > > # Remote UDP port for IKE communication. > # remote_port = 500 > > # Comma separated proposals to accept for IKE. > proposals = aes128-sha256-ecp256 > > # Virtual IPs to request in configuration payload / Mode Config. > # vips = > > # Use Aggressive Mode in IKEv1. > # aggressive = no > > # Set the Mode Config mode to use. > # pull = yes > > # Enforce UDP encapsulation by faking NAT-D payloads. > # encap = no > > # Enables MOBIKE on IKEv2 connections. > # mobike = yes > > # Interval of liveness checks (DPD). > # dpd_delay = 0s > > # Timeout for DPD checks (IKEV1 only). > # dpd_timeout = 0s > > # Use IKE UDP datagram fragmentation. (yes, no or force). > # fragmentation = no > > # Send certificate requests payloads (yes or no). > # send_certreq = yes > > # Send certificate payloads (always, never or ifasked). > # send_cert = ifasked > > # Number of retransmission sequences to perform during initial > connect. > # keyingtries = 1 > > # Connection uniqueness policy (never, no, keep or replace). > # unique = no > > # Time to schedule IKE reauthentication. > # reauth_time = 0s > > # Time to schedule IKE rekeying. > # rekey_time = 4h > > # Hard IKE_SA lifetime if rekey/reauth does not complete, as time. > # over_time = 10% of rekey_time/reauth_time > > # Range of random time to subtract from rekey/reauth times. > # rand_time = over_time > > # Comma separated list of named IP pools. > # pools = > > # Section for a local authentication round. > local { > > # Optional numeric identifier by which authentication rounds > are > # sorted. If not specified rounds are ordered by their > position in > # the config file/VICI message. > # round = 0 > > # Comma separated list of certificate candidates to use for > # authentication. > certs = device.crt > > # Comma separated list of raw public key candidates to use for > # authentication. > #pubkeys = > > # Authentication to perform locally (pubkey, psk, > xauth[-backend] or > # eap[-method]). > auth = pubkey > > # IKE identity to use for authentication round. > id = "C=US, O=ARRIS, OU=Lowell, CN=00:0c:29:9d:7d:92" > #id = "C=US, ST=MA, O=Arris, CN=StrongSwan Root CA" > #id = 10.13.199.130 > #id = 10.185.44.187 > > # Client EAP-Identity to use in EAP-Identity exchange and the > EAP > # method. > # eap_id = id > > # Server side EAP-Identity to expect in the EAP method. > # aaa_id = remote-id > > # Client XAuth username used in the XAuth exchange. > # xauth_id = id > > } > > # Section for a remote authentication round. > remote { > > # Optional numeric identifier by which authentication rounds > are > # sorted. If not specified rounds are ordered by their > position in > # the config file/VICI message. > # round = 0 > > # IKE identity to expect for authentication round. > id = fc00:cada:c402:607::1001 > #id = "C=US, O=ARRIS, OU=Lowell, CN=00:33:5f:ab:8c:9e" > #id = 10.13.199.174 > #id = 10.14.37.97 > > # Authorization group memberships to require. > # groups = > > # Comma separated list of certificate to accept for > authentication. > # certs = > > # Comma separated list of CA certificates to accept for > # authentication. > # cacerts = deviceCa.crt > # Comma separated list of raw public keys to accept for > # authentication. > # pubkeys = > > # Certificate revocation policy, (strict, ifuri or relaxed). > # revocation = relaxed > > # Authentication to expect from remote (pubkey, psk, > xauth[-backend] > # or eap[-method]). > auth = pubkey > } > > children { > > # CHILD_SA configuration sub-section. > gcp { > > # AH proposals to offer for the CHILD_SA. > # ah_proposals = > > # ESP proposals to offer for the CHILD_SA. > esp_proposals = aes128-sha256-ecp256 > > # Local traffic selectors to include in CHILD_SA. > local_ts = 2017::5002[tcp] > > # Remote selectors to include in CHILD_SA. > remote_ts = fc00:cada:C402:607::1001[tcp] > > # Time to schedule CHILD_SA rekeying. > # rekey_time = 1h > > # Maximum lifetime before CHILD_SA gets closed, as time. > # life_time = rekey_time + 10% > > # Range of random time to subtract from rekey_time. > # rand_time = life_time - rekey_time > > # Number of bytes processed before initiating CHILD_SA > rekeying. > # rekey_bytes = 0 > > # Maximum bytes processed before CHILD_SA gets closed. > # life_bytes = rekey_bytes + 10% > > # Range of random bytes to subtract from rekey_bytes. > # rand_bytes = life_bytes - rekey_bytes > > # Number of packets processed before initiating CHILD_SA > # rekeying. > # rekey_packets = 0 > > # Maximum number of packets processed before CHILD_SA gets > # closed. > # life_packets = rekey_packets + 10% > > # Range of random packets to subtract from packets_bytes. > # rand_packets = life_packets - rekey_packets > > # Updown script to invoke on CHILD_SA up and down events. > #updown = abcd > > # Hostaccess variable to pass to updown script. > # hostaccess = yes > > # IPsec Mode to establish (tunnel, transport, beet, pass or > # drop). > mode = transport > > # Whether to install IPsec policies or not. > # policies = yes > > # Action to perform on DPD timeout (clear, trap or > restart). > # dpd_action = clear > > # Enable IPComp compression before encryption. > # ipcomp = no > > # Timeout before closing CHILD_SA after inactivity. > # inactivity = 0s > > # Fixed reqid to use for this CHILD_SA. > # reqid = 0 > > # Netfilter mark and mask for input traffic. > # mark_in = 0/0x00000000 > > # Netfilter mark and mask for output traffic. > # mark_out = 0/0x00000000 > > # Traffic Flow Confidentiality padding. > # tfc_padding = 0 > > # IPsec replay window to configure for this CHILD_SA. > # replay_window = 32 > > # Action to perform after loading the configuration (none, > trap, > # start). > # start_action = none > > # Action to perform after a CHILD_SA gets closed (none, > trap, > # start). > # close_action = none > > } > > > l2tp { > > # AH proposals to offer for the CHILD_SA. > # ah_proposals = > > # ESP proposals to offer for the CHILD_SA. > esp_proposals = aes128-sha256-ecp256 > > # Local traffic selectors to include in CHILD_SA. > local_ts = 2017::5002[115] > > # Remote selectors to include in CHILD_SA. > remote_ts = fc00:cada:C402:607::1001[115] > > # Time to schedule CHILD_SA rekeying. > # rekey_time = 1h > > # Maximum lifetime before CHILD_SA gets closed, as time. > # life_time = rekey_time + 10% > > # Range of random time to subtract from rekey_time. > # rand_time = life_time - rekey_time > > # Number of bytes processed before initiating CHILD_SA > rekeying. > # rekey_bytes = 0 > > # Maximum bytes processed before CHILD_SA gets closed. > # life_bytes = rekey_bytes + 10% > > # Range of random bytes to subtract from rekey_bytes. > # rand_bytes = life_bytes - rekey_bytes > > # Number of packets processed before initiating CHILD_SA > # rekeying. > # rekey_packets = 0 > > # Maximum number of packets processed before CHILD_SA gets > # closed. > # life_packets = rekey_packets + 10% > > # Range of random packets to subtract from packets_bytes. > # rand_packets = life_packets - rekey_packets > > # Updown script to invoke on CHILD_SA up and down events. > #updown = abcd > > # Hostaccess variable to pass to updown script. > # hostaccess = yes > > # IPsec Mode to establish (tunnel, transport, beet, pass or > # drop). > mode = transport > > # Whether to install IPsec policies or not. > policies = yes > > # Action to perform on DPD timeout (clear, trap or > restart). > # dpd_action = clear > > # Enable IPComp compression before encryption. > # ipcomp = no > > # Timeout before closing CHILD_SA after inactivity. > # inactivity = 0s > > # Fixed reqid to use for this CHILD_SA. > # reqid = 0 > > # Netfilter mark and mask for input traffic. > # mark_in = 0/0x00000000 > > # Netfilter mark and mask for output traffic. > # mark_out = 0/0x00000000 > > # Traffic Flow Confidentiality padding. > # tfc_padding = 0 > > # IPsec replay window to configure for this CHILD_SA. > # replay_window = 32 > > # Action to perform after loading the configuration (none, > trap, > # start). > # start_action = none > > # Action to perform after a CHILD_SA gets closed (none, > trap, > # start). > # close_action = none > > } > > > } > > } > > } > >