/testing/guestbin/swan-prep kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# # confirm that the network is alive kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254 destination -I 192.0.1.254 192.0.2.254 is alive kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# # adding some routes to sow confusion on purpose kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ip route add 192.168.1.1 via 192.0.1.254 dev eth0 kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ip route add 192.168.1.2 via 192.1.2.45 dev eth1 kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ip route add 192.168.1.16/28 via 192.1.2.45 dev eth1 kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ip route add 25.1.0.0/16 via 192.0.1.254 kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ip route add 25.2.0.0/16 via 192.1.2.45 kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ipsec start Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Redirecting to: /etc/init.d/ipsec start Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Starting pluto IKE daemon for IPsec: kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# /testing/pluto/bin/wait-until-pluto-started kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ipsec auto --add westnet-all 002 added connection description "westnet-all" kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ip route list default via 192.1.2.254 dev eth1 25.1.0.0/16 via 192.0.1.254 dev eth0 25.2.0.0/16 via 192.1.2.45 dev eth1 192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 192.0.2.0/24 via 192.1.2.23 dev eth1 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 192.168.1.1 via 192.0.1.254 dev eth0 192.168.1.2 via 192.1.2.45 dev eth1 192.168.1.16/28 via 192.1.2.45 dev eth1 kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# for i in `seq 1 12`; do ipsec auto --add orient$i; done 002 added connection description "orient1" 002 added connection description "orient2" 002 added connection description "orient3" 002 added connection description "orient4" 002 added connection description "orient5" 002 added connection description "orient6" 002 added connection description "orient7" 002 added connection description "orient8" 002 added connection description "orient9" 002 added connection description "orient10" 002 added connection description "orient11" 002 added connection description "orient12" kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ipsec auto --status |grep orient |grep "eroute owner" 000 "orient1": 192.1.2.45---192.1.2.254...%any; unrouted; eroute owner: #0 000 "orient10": 192.1.2.45---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient11": 192.1.2.45---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient12": 192.1.2.45---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient2": 192.1.2.45---192.1.2.254...%any; unrouted; eroute owner: #0 000 "orient3": 192.1.2.45---192.1.2.254...%any; unrouted; eroute owner: #0 000 "orient4": 192.1.2.45---192.1.2.254...%any; unrouted; eroute owner: #0 000 "orient5": 192.1.2.45<192.1.2.45>...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient6": 192.1.2.45<192.1.2.45>---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient7": 192.1.2.45<192.1.2.45>---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient8": 192.1.2.45<192.1.2.45>...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient9": 192.1.2.45---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ipsec whack --impair suppress-retransmits kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# echo "initdone" initdone kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ipsec auto --up westnet-all 002 "westnet-all" #1: initiating Main Mode 002 "westnet-all" #1: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds 102 "westnet-all" #1: STATE_MAIN_I1: initiate 002 "westnet-all" #1: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds 104 "westnet-all" #1: STATE_MAIN_I2: sent MI2, expecting MR2 002 "westnet-all" #1: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds 106 "westnet-all" #1: STATE_MAIN_I3: sent MI3, expecting MR3 002 "westnet-all" #1: Peer ID is ID_FQDN: '@east' 003 "westnet-all" #1: Authenticated using RSA 004 "westnet-all" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} 002 "westnet-all" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:cf9e59cf proposal=defaults pfsgroup=MODP2048} 002 "westnet-all" #2: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds 115 "westnet-all" #2: STATE_QUICK_I1: initiate 004 "westnet-all" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xe5280fbd <0xec24f332 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ping -n -c 4 -I 192.0.1.254 192.0.2.254 PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. 64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.075 ms 64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.502 ms 64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.073 ms 64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.076 ms --- 192.0.2.254 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 79ms rtt min/avg/max/mdev = 0.073/0.181/0.502/0.185 ms kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ipsec trafficstatus 006 #2: "westnet-all", type=ESP, add_time=0, inBytes=336, outBytes=336, id='@east' kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ip route list default via 192.1.2.254 dev eth1 25.1.0.0/16 via 192.0.1.254 dev eth0 25.2.0.0/16 via 192.1.2.45 dev eth1 192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 192.0.2.0/24 via 192.1.2.23 dev eth1 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 192.168.1.1 via 192.0.1.254 dev eth0 192.168.1.2 via 192.1.2.45 dev eth1 192.168.1.16/28 via 192.1.2.45 dev eth1 kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# # testing re-orienting kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ipsec auto --replace westnet-all 002 "westnet-all": terminating SAs using this connection 002 "westnet-all" #2: deleting state (STATE_QUICK_I2) aged 3.412s and sending notification 005 "westnet-all" #2: ESP traffic information: in=336B out=336B 002 "westnet-all" #1: deleting state (STATE_MAIN_I4) aged 3.444s and sending notification 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 "westnet-all": unroute-client output: Error: Peer netns reference is invalid. 002 added connection description "westnet-all" kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ipsec auto --status |grep westnet 000 "westnet-all": 192.0.1.0/24===192.1.2.45<192.1.2.45>[@west]...192.1.2.23<192.1.2.23>[@east]===0.0.0.0/0; unrouted; eroute owner: #0 000 "westnet-all": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "westnet-all": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "westnet-all": our auth:rsasig, their auth:rsasig 000 "westnet-all": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "westnet-all": labeled_ipsec:no; 000 "westnet-all": policy_label:unset; 000 "westnet-all": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "westnet-all": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "westnet-all": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "westnet-all": policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "westnet-all": conn_prio: 24,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "westnet-all": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "westnet-all": our idtype: ID_FQDN; our id=@west; their idtype: ID_FQDN; their id=@east 000 "westnet-all": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "westnet-all": newest ISAKMP SA: #0; newest IPsec SA: #0; kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# echo done done kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ../../pluto/bin/ipsec-look.sh ==== cut ==== start raw xfrm state: src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ end raw xfrm state: ==== tuc ==== west Mon Aug 26 13:08:34 UTC 2019 XFRM state: XFRM policy: XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.2.254 dev eth1 25.1.0.0/16 via 192.0.1.254 dev eth0 25.2.0.0/16 via 192.1.2.45 dev eth1 192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 192.0.2.0/24 via 192.1.2.23 dev eth1 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 192.168.1.1 via 192.0.1.254 dev eth0 192.168.1.2 via 192.1.2.45 dev eth1 192.168.1.16/28 via 192.1.2.45 dev eth1 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ../../pluto/bin/xfrmcheck.sh kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# : ==== cut ==== kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ipsec auto --status 000 using kernel interface: netkey 000 interface lo/lo 127.0.0.1:4500 000 interface lo/lo 127.0.0.1:500 000 interface eth0/eth0 192.0.1.254:4500 000 interface eth0/eth0 192.0.1.254:500 000 interface eth1/eth1 192.1.2.45:4500 000 interface eth1/eth1 192.1.2.45:500 000 000 000 fips mode=disabled; 000 SElinux=disabled 000 seccomp=disabled 000 000 config setup options: 000 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d 000 nssdir=/etc/ipsec.d, dumpdir=/tmp, statsbin=unset 000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted= 000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec 000 pluto_version=v3.28-685-gbfd5aef521-master-s2, pluto_vendorid=OE-Libreswan-v3.28-685, audit-log=yes 000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no, logappend=no, logip=yes, shuntlifetime=900s, xfrmlifetime=30s 000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto 000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=, nflog-all=0 000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri= 000 ocsp-trust-name= 000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get 000 global-redirect=no, global-redirect-to= 000 secctx-attr-type=32001 000 debug: base+cpu-usage impair: suppress-retransmits 000 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500 000 virtual-private (%priv): 000 000 Kernel algorithms supported: 000 000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256 000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256 000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128 000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384 000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512 000 algorithm AH/ESP auth: name=NONE, key-length=0 000 000 IKE algorithms supported: 000 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256 000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16 000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20 000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32 000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48 000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64 000 algorithm IKE PRF: name=AES_XCBC, hashlen=16 000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536 000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048 000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072 000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096 000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144 000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192 000 algorithm IKE DH Key Exchange: name=DH19, bits=512 000 algorithm IKE DH Key Exchange: name=DH20, bits=768 000 algorithm IKE DH Key Exchange: name=DH21, bits=1056 000 algorithm IKE DH Key Exchange: name=DH31, bits=256 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 Connection list: 000 000 "orient1": 192.1.2.45---192.1.2.254...%any; unrouted; eroute owner: #0 000 "orient1": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "orient1": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "orient1": our auth:secret, their auth:secret 000 "orient1": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "orient1": labeled_ipsec:no; 000 "orient1": policy_label:unset; 000 "orient1": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "orient1": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "orient1": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "orient1": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "orient1": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "orient1": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "orient1": our idtype: ID_IPV4_ADDR; our id=%any; their idtype: %none; their id=(none) 000 "orient1": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "orient1": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "orient10": 192.1.2.45---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient10": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "orient10": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "orient10": our auth:secret, their auth:secret 000 "orient10": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "orient10": labeled_ipsec:no; 000 "orient10": policy_label:unset; 000 "orient10": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "orient10": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "orient10": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "orient10": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "orient10": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "orient10": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "orient10": our idtype: ID_IPV4_ADDR; our id=%any; their idtype: ID_IPV4_ADDR; their id=8.8.8.8 000 "orient10": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "orient10": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "orient11": 192.1.2.45---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient11": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "orient11": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "orient11": our auth:secret, their auth:secret 000 "orient11": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "orient11": labeled_ipsec:no; 000 "orient11": policy_label:unset; 000 "orient11": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "orient11": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "orient11": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "orient11": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "orient11": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "orient11": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "orient11": our idtype: ID_IPV4_ADDR; our id=%any; their idtype: ID_IPV4_ADDR; their id=8.8.8.8 000 "orient11": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "orient11": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "orient12": 192.1.2.45---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient12": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "orient12": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "orient12": our auth:secret, their auth:secret 000 "orient12": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "orient12": labeled_ipsec:no; 000 "orient12": policy_label:unset; 000 "orient12": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "orient12": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "orient12": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "orient12": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "orient12": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "orient12": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "orient12": our idtype: ID_IPV4_ADDR; our id=%any; their idtype: ID_IPV4_ADDR; their id=8.8.8.8 000 "orient12": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "orient12": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "orient2": 192.1.2.45---192.1.2.254...%any; unrouted; eroute owner: #0 000 "orient2": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "orient2": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "orient2": our auth:secret, their auth:secret 000 "orient2": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "orient2": labeled_ipsec:no; 000 "orient2": policy_label:unset; 000 "orient2": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "orient2": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "orient2": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "orient2": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "orient2": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "orient2": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "orient2": our idtype: ID_IPV4_ADDR; our id=%any; their idtype: %none; their id=(none) 000 "orient2": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "orient2": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "orient3": 192.1.2.45---192.1.2.254...%any; unrouted; eroute owner: #0 000 "orient3": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "orient3": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "orient3": our auth:secret, their auth:secret 000 "orient3": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "orient3": labeled_ipsec:no; 000 "orient3": policy_label:unset; 000 "orient3": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "orient3": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "orient3": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "orient3": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "orient3": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "orient3": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "orient3": our idtype: ID_IPV4_ADDR; our id=%any; their idtype: %none; their id=(none) 000 "orient3": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "orient3": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "orient4": 192.1.2.45---192.1.2.254...%any; unrouted; eroute owner: #0 000 "orient4": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "orient4": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "orient4": our auth:secret, their auth:secret 000 "orient4": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "orient4": labeled_ipsec:no; 000 "orient4": policy_label:unset; 000 "orient4": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "orient4": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "orient4": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "orient4": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "orient4": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "orient4": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "orient4": our idtype: ID_IPV4_ADDR; our id=%any; their idtype: %none; their id=(none) 000 "orient4": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "orient4": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "orient5": 192.1.2.45<192.1.2.45>...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient5": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "orient5": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "orient5": our auth:secret, their auth:secret 000 "orient5": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "orient5": labeled_ipsec:no; 000 "orient5": policy_label:unset; 000 "orient5": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "orient5": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "orient5": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "orient5": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "orient5": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "orient5": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "orient5": our idtype: ID_IPV4_ADDR; our id=192.1.2.45; their idtype: ID_IPV4_ADDR; their id=8.8.8.8 000 "orient5": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "orient5": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "orient6": 192.1.2.45<192.1.2.45>---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient6": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "orient6": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "orient6": our auth:secret, their auth:secret 000 "orient6": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "orient6": labeled_ipsec:no; 000 "orient6": policy_label:unset; 000 "orient6": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "orient6": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "orient6": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "orient6": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "orient6": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "orient6": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "orient6": our idtype: ID_IPV4_ADDR; our id=192.1.2.45; their idtype: ID_IPV4_ADDR; their id=8.8.8.8 000 "orient6": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "orient6": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "orient7": 192.1.2.45<192.1.2.45>---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient7": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "orient7": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "orient7": our auth:secret, their auth:secret 000 "orient7": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "orient7": labeled_ipsec:no; 000 "orient7": policy_label:unset; 000 "orient7": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "orient7": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "orient7": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "orient7": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "orient7": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "orient7": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "orient7": our idtype: ID_IPV4_ADDR; our id=192.1.2.45; their idtype: ID_IPV4_ADDR; their id=8.8.8.8 000 "orient7": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "orient7": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "orient8": 192.1.2.45<192.1.2.45>...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient8": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "orient8": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "orient8": our auth:secret, their auth:secret 000 "orient8": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "orient8": labeled_ipsec:no; 000 "orient8": policy_label:unset; 000 "orient8": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "orient8": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "orient8": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "orient8": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "orient8": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "orient8": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "orient8": our idtype: ID_IPV4_ADDR; our id=192.1.2.45; their idtype: ID_IPV4_ADDR; their id=8.8.8.8 000 "orient8": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "orient8": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "orient9": 192.1.2.45---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient9": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "orient9": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "orient9": our auth:secret, their auth:secret 000 "orient9": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "orient9": labeled_ipsec:no; 000 "orient9": policy_label:unset; 000 "orient9": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "orient9": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "orient9": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "orient9": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "orient9": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "orient9": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "orient9": our idtype: ID_IPV4_ADDR; our id=%any; their idtype: ID_IPV4_ADDR; their id=8.8.8.8 000 "orient9": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "orient9": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "westnet-all": 192.0.1.0/24===192.1.2.45<192.1.2.45>[@west]...192.1.2.23<192.1.2.23>[@east]===0.0.0.0/0; unrouted; eroute owner: #0 000 "westnet-all": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "westnet-all": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "westnet-all": our auth:rsasig, their auth:rsasig 000 "westnet-all": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "westnet-all": labeled_ipsec:no; 000 "westnet-all": policy_label:unset; 000 "westnet-all": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "westnet-all": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "westnet-all": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "westnet-all": policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "westnet-all": conn_prio: 24,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "westnet-all": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "westnet-all": our idtype: ID_FQDN; our id=@west; their idtype: ID_FQDN; their id=@east 000 "westnet-all": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "westnet-all": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 000 Total IPsec connections: loaded 13, active 0 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0) 000 IPsec SAs: total(0), authenticated(0), anonymous(0) 000 000 Bare Shunt list: 000 kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# : ==== tuc ==== kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ipsec whack --shutdown 002 shutting down kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# ../bin/check-for-core.sh kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi type=AVC msg=audit(1566824781.750:169760): avc: denied { write } for pid=5361 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=942309374 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1 type=AVC msg=audit(1566824913.093:172118): avc: denied { write } for pid=16031 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=577458986 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1 type=AVC msg=audit(1566824913.794:172159): avc: denied { write } for pid=16821 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=577459836 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1 kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]# : ==== end ==== kroot@swantest:/home/build/libreswan/testing/pluto/basic-pluto-02\[root@west basic-pluto-02]#