/testing/guestbin/swan-prep --x509 Preparing X.509 files kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# certutil -D -n road -d sql:/etc/ipsec.d kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# certutil -D -n north -d sql:/etc/ipsec.d kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# certutil -D -n east -d sql:/etc/ipsec.d kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# cp road-ikev2-oe.conf /etc/ipsec.d/ikev2-oe.conf kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# cp policies/* /etc/ipsec.d/policies/ kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# echo "192.1.2.0/24" >> /etc/ipsec.d/policies/private-or-clear kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# restorecon -R /etc/ipsec.d kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ipsec start Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Redirecting to: /etc/init.d/ipsec start Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Starting pluto IKE daemon for IPsec: kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# /testing/pluto/bin/wait-until-pluto-started kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ipsec whack --impair suppress-retransmits kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# # ensure for tests acquires expire before our failureshunt=2m kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# echo 30 > /proc/sys/net/core/xfrm_acq_expires kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# # give OE policies time to load kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# sleep 5 kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# # one packet, which gets eaten by XFRM, so east does not initiate kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ping -n -c 1 -I 192.1.3.33 192.1.2.23 PING 192.1.2.23 (192.1.2.23) from 192.1.3.33 : 56(84) bytes of data. --- 192.1.2.23 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 northinit.sh 'ping -n -c 1 -I 192.1.3.33 192.1.2.23' <<<<<<<<<<tuc<<<<<<<<<<# wait on OE IKE negotiation kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 northinit.sh '# wait on OE IKE negotiation' <<<<<<<<<<tuc<<<<<<<<<<sleep 1 kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ping -n -c 2 -I 192.1.3.33 192.1.2.23 PING 192.1.2.23 (192.1.2.23) from 192.1.3.33 : 56(84) bytes of data. --- 192.1.2.23 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 37ms kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 northinit.sh 'ping -n -c 2 -I 192.1.3.33 192.1.2.23' <<<<<<<<<<tuc<<<<<<<<<<# ping should succeed through tunnel kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 northinit.sh '# ping should succeed through tunnel' <<<<<<<<<<tuc<<<<<<<<<<# should show established tunnel and no bare shunts kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 northinit.sh '# should show established tunnel and no bare shunts' <<<<<<<<<<tuc<<<<<<<<<<ipsec whack --trafficstatus kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ipsec whack --shuntstatus 000 Bare Shunt list: 000 kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ../../pluto/bin/ipsec-look.sh ==== cut ==== start raw xfrm state: src 192.1.3.33/32 dst 192.1.2.23/32 \ dir out priority 1564647 ptype main \ src 192.1.3.33/32 dst 192.1.2.0/24 \ dir out priority 1564647 ptype main \ tmpl src 0.0.0.0 dst 0.0.0.0\ proto esp reqid 0 mode transport\ src 192.1.2.253/32 dst 192.1.3.33/32 \ dir fwd priority 1564639 ptype main \ src 192.1.2.253/32 dst 192.1.3.33/32 \ dir in priority 1564639 ptype main \ src 192.1.3.33/32 dst 192.1.2.253/32 \ dir out priority 1564639 ptype main \ src 192.1.3.253/32 dst 192.1.3.33/32 \ dir fwd priority 1564639 ptype main \ src 192.1.3.253/32 dst 192.1.3.33/32 \ dir in priority 1564639 ptype main \ src 192.1.3.33/32 dst 192.1.3.253/32 \ dir out priority 1564639 ptype main \ src 192.1.3.254/32 dst 192.1.3.33/32 \ dir fwd priority 1564639 ptype main \ src 192.1.3.254/32 dst 192.1.3.33/32 \ dir in priority 1564639 ptype main \ src 192.1.3.33/32 dst 192.1.3.254/32 \ dir out priority 1564639 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ end raw xfrm state: ==== tuc ==== north Mon Aug 26 18:31:59 UTC 2019 XFRM state: src 192.1.2.23 dst 192.1.3.33 proto esp spi 0x39c2f5f7 reqid 16433 mode tunnel replay-window 0 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 sel src 192.1.2.23/32 dst 192.1.3.33/32 src 192.1.3.33 dst 192.1.2.23 proto esp spi 0x00000000 reqid 0 mode transport replay-window 0 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 sel src 192.1.3.33/32 dst 192.1.2.23/32 proto icmp type 8 code 0 dev eth1 XFRM policy: src 192.1.2.253/32 dst 192.1.3.33/32 dir fwd priority 1564639 ptype main src 192.1.2.253/32 dst 192.1.3.33/32 dir in priority 1564639 ptype main src 192.1.3.253/32 dst 192.1.3.33/32 dir fwd priority 1564639 ptype main src 192.1.3.253/32 dst 192.1.3.33/32 dir in priority 1564639 ptype main src 192.1.3.254/32 dst 192.1.3.33/32 dir fwd priority 1564639 ptype main src 192.1.3.254/32 dst 192.1.3.33/32 dir in priority 1564639 ptype main src 192.1.3.33/32 dst 192.1.2.253/32 dir out priority 1564639 ptype main src 192.1.3.33/32 dst 192.1.3.253/32 dir out priority 1564639 ptype main src 192.1.3.33/32 dst 192.1.3.254/32 dir out priority 1564639 ptype main src 192.1.3.33/32 dst 192.1.2.0/24 dir out priority 1564647 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 0 mode transport src 192.1.3.33/32 dst 192.1.2.23/32 dir out priority 1564647 ptype main XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.3.254 dev eth1 192.0.3.0/24 dev eth0 proto kernel scope link src 192.0.3.254 192.1.3.0/24 dev eth1 proto kernel scope link src 192.1.3.33 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Libreswan test CA for mainca - Libreswan CT,, east-ec P,, hashsha1 P,, nic P,, west P,, west-ec P,, kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# iptables -t nat -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# echo done done kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# echo "initdone" initdone kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# # A tunnel should have established with non-zero byte counters kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ping -n -c 4 192.1.2.23 PING 192.1.2.23 (192.1.2.23) 56(84) bytes of data. --- 192.1.2.23 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 64ms kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 final.sh 'ping -n -c 4 192.1.2.23' <<<<<<<<<<tuc<<<<<<<<<<# jacob two two for east? kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 final.sh '# jacob two two for east?' <<<<<<<<<<tuc<<<<<<<<<<ipsec whack --trafficstatus kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ipsec whack --trafficstatus kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ../../pluto/bin/ipsec-look.sh | sed "s/\(.\)port [0-9][0-9][0-9][0-9] /\1port XXXX /g" ==== cut ==== start raw xfrm state: src 192.1.3.33/32 dst 192.1.2.23/32 \ dir out priority 1564647 ptype main \ src 192.1.3.33/32 dst 192.1.2.0/24 \ dir out priority 1564647 ptype main \ tmpl src 0.0.0.0 dst 0.0.0.0\ proto esp reqid 0 mode transport\ src 192.1.2.253/32 dst 192.1.3.33/32 \ dir fwd priority 1564639 ptype main \ src 192.1.2.253/32 dst 192.1.3.33/32 \ dir in priority 1564639 ptype main \ src 192.1.3.33/32 dst 192.1.2.253/32 \ dir out priority 1564639 ptype main \ src 192.1.3.253/32 dst 192.1.3.33/32 \ dir fwd priority 1564639 ptype main \ src 192.1.3.253/32 dst 192.1.3.33/32 \ dir in priority 1564639 ptype main \ src 192.1.3.33/32 dst 192.1.3.253/32 \ dir out priority 1564639 ptype main \ src 192.1.3.254/32 dst 192.1.3.33/32 \ dir fwd priority 1564639 ptype main \ src 192.1.3.254/32 dst 192.1.3.33/32 \ dir in priority 1564639 ptype main \ src 192.1.3.33/32 dst 192.1.3.254/32 \ dir out priority 1564639 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ end raw xfrm state: ==== tuc ==== north Mon Aug 26 18:32:51 UTC 2019 XFRM state: src 192.1.3.33 dst 192.1.2.23 proto esp spi 0x00000000 reqid 0 mode transport replay-window 0 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 sel src 192.1.3.33/32 dst 192.1.2.23/32 proto udp sport 36404 dport XXXX dev eth1 src 192.1.2.23 dst 192.1.3.33 proto esp spi 0x83aec089 reqid 16433 mode tunnel replay-window 0 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 sel src 192.1.2.23/32 dst 192.1.3.33/32 XFRM policy: src 192.1.2.253/32 dst 192.1.3.33/32 dir fwd priority 1564639 ptype main src 192.1.2.253/32 dst 192.1.3.33/32 dir in priority 1564639 ptype main src 192.1.3.253/32 dst 192.1.3.33/32 dir fwd priority 1564639 ptype main src 192.1.3.253/32 dst 192.1.3.33/32 dir in priority 1564639 ptype main src 192.1.3.254/32 dst 192.1.3.33/32 dir fwd priority 1564639 ptype main src 192.1.3.254/32 dst 192.1.3.33/32 dir in priority 1564639 ptype main src 192.1.3.33/32 dst 192.1.2.253/32 dir out priority 1564639 ptype main src 192.1.3.33/32 dst 192.1.3.253/32 dir out priority 1564639 ptype main src 192.1.3.33/32 dst 192.1.3.254/32 dir out priority 1564639 ptype main src 192.1.3.33/32 dst 192.1.2.0/24 dir out priority 1564647 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 0 mode transport src 192.1.3.33/32 dst 192.1.2.23/32 dir out priority 1564647 ptype main XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.3.254 dev eth1 192.0.3.0/24 dev eth0 proto kernel scope link src 192.0.3.254 192.1.3.0/24 dev eth1 proto kernel scope link src 192.1.3.33 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Libreswan test CA for mainca - Libreswan CT,, east-ec P,, hashsha1 P,, nic P,, west P,, west-ec P,, kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# # you should see both RSA and NULL kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# grep IKEv2_AUTH_ /tmp/pluto.log | auth method: IKEv2_AUTH_NULL (0xd) | auth method: IKEv2_AUTH_RSA (0x1) | auth method: IKEv2_AUTH_NULL (0xd) | auth method: IKEv2_AUTH_RSA (0x1) kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# : ==== cut ==== kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ipsec auto --status 000 using kernel interface: netkey 000 interface lo/lo 127.0.0.1:4500 000 interface lo/lo 127.0.0.1:500 000 interface eth0/eth0 192.0.3.254:4500 000 interface eth0/eth0 192.0.3.254:500 000 interface eth1/eth1 192.1.3.33:4500 000 interface eth1/eth1 192.1.3.33:500 000 000 000 fips mode=disabled; 000 SElinux=disabled 000 seccomp=disabled 000 000 config setup options: 000 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d 000 nssdir=/etc/ipsec.d, dumpdir=/tmp, statsbin=unset 000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted=<unset> 000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec 000 pluto_version=v3.28-685-gbfd5aef521-master-s2, pluto_vendorid=OE-Libreswan-v3.28-685, audit-log=yes 000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no, logappend=no, logip=yes, shuntlifetime=900s, xfrmlifetime=30s 000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto 000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0 000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset> 000 ocsp-trust-name=<unset> 000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get 000 global-redirect=no, global-redirect-to=<unset> 000 secctx-attr-type=32001 000 debug: base+cpu-usage impair: suppress-retransmits 000 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500 000 virtual-private (%priv): 000 000 Kernel algorithms supported: 000 000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256 000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256 000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128 000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384 000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512 000 algorithm AH/ESP auth: name=NONE, key-length=0 000 000 IKE algorithms supported: 000 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256 000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16 000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20 000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32 000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48 000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64 000 algorithm IKE PRF: name=AES_XCBC, hashlen=16 000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536 000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048 000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072 000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096 000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144 000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192 000 algorithm IKE DH Key Exchange: name=DH19, bits=512 000 algorithm IKE DH Key Exchange: name=DH20, bits=768 000 algorithm IKE DH Key Exchange: name=DH21, bits=1056 000 algorithm IKE DH Key Exchange: name=DH31, bits=256 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 Connection list: 000 000 "block": 192.1.3.33---192.1.3.254...%group; unrouted; eroute owner: #0 000 "block": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "block": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "block": our auth:unset, their auth:unset 000 "block": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "block": labeled_ipsec:no; 000 "block": policy_label:unset; 000 "block": ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; 000 "block": retransmit-interval: 0ms; retransmit-timeout: 0s; 000 "block": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "block": policy: AUTH_NEVER+GROUP+GROUTED+REJECT+NEVER_NEGOTIATE; 000 "block": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "block": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no; 000 "block": our idtype: ID_IPV4_ADDR; our id=%any; their idtype: %none; their id=(none) 000 "block": dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both 000 "block": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "clear": 192.1.3.33---192.1.3.254...%group; unrouted; eroute owner: #0 000 "clear": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "clear": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "clear": our auth:unset, their auth:unset 000 "clear": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "clear": labeled_ipsec:no; 000 "clear": policy_label:unset; 000 "clear": ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; 000 "clear": retransmit-interval: 0ms; retransmit-timeout: 0s; 000 "clear": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "clear": policy: AUTH_NEVER+GROUP+GROUTED+PASS+NEVER_NEGOTIATE; 000 "clear": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "clear": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no; 000 "clear": our idtype: ID_IPV4_ADDR; our id=%any; their idtype: %none; their id=(none) 000 "clear": dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both 000 "clear": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "clear#192.1.2.253/32": 192.1.3.33---192.1.3.254...%any; prospective erouted; eroute owner: #0 000 "clear#192.1.2.253/32": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "clear#192.1.2.253/32": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "clear#192.1.2.253/32": our auth:unset, their auth:unset 000 "clear#192.1.2.253/32": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "clear#192.1.2.253/32": labeled_ipsec:no; 000 "clear#192.1.2.253/32": policy_label:unset; 000 "clear#192.1.2.253/32": ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; 000 "clear#192.1.2.253/32": retransmit-interval: 0ms; retransmit-timeout: 0s; 000 "clear#192.1.2.253/32": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "clear#192.1.2.253/32": policy: AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE; 000 "clear#192.1.2.253/32": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "clear#192.1.2.253/32": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no; 000 "clear#192.1.2.253/32": our idtype: ID_IPV4_ADDR; our id=%any; their idtype: %none; their id=(none) 000 "clear#192.1.2.253/32": dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both 000 "clear#192.1.2.253/32": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "clear#192.1.3.253/32": 192.1.3.33---192.1.3.254...%any; prospective erouted; eroute owner: #0 000 "clear#192.1.3.253/32": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "clear#192.1.3.253/32": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "clear#192.1.3.253/32": our auth:unset, their auth:unset 000 "clear#192.1.3.253/32": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "clear#192.1.3.253/32": labeled_ipsec:no; 000 "clear#192.1.3.253/32": policy_label:unset; 000 "clear#192.1.3.253/32": ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; 000 "clear#192.1.3.253/32": retransmit-interval: 0ms; retransmit-timeout: 0s; 000 "clear#192.1.3.253/32": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "clear#192.1.3.253/32": policy: AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE; 000 "clear#192.1.3.253/32": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "clear#192.1.3.253/32": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no; 000 "clear#192.1.3.253/32": our idtype: ID_IPV4_ADDR; our id=%any; their idtype: %none; their id=(none) 000 "clear#192.1.3.253/32": dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both 000 "clear#192.1.3.253/32": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "clear#192.1.3.254/32": 192.1.3.33---192.1.3.254...%any; prospective erouted; eroute owner: #0 000 "clear#192.1.3.254/32": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "clear#192.1.3.254/32": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "clear#192.1.3.254/32": our auth:unset, their auth:unset 000 "clear#192.1.3.254/32": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "clear#192.1.3.254/32": labeled_ipsec:no; 000 "clear#192.1.3.254/32": policy_label:unset; 000 "clear#192.1.3.254/32": ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; 000 "clear#192.1.3.254/32": retransmit-interval: 0ms; retransmit-timeout: 0s; 000 "clear#192.1.3.254/32": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "clear#192.1.3.254/32": policy: AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE; 000 "clear#192.1.3.254/32": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "clear#192.1.3.254/32": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no; 000 "clear#192.1.3.254/32": our idtype: ID_IPV4_ADDR; our id=%any; their idtype: %none; their id=(none) 000 "clear#192.1.3.254/32": dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both 000 "clear#192.1.3.254/32": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "clear-or-private": 192.1.3.33[ID_NULL,+MC+CAT+S=C]---192.1.3.254...%opportunisticgroup[%fromcert]; unrouted; eroute owner: #0 000 "clear-or-private": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "clear-or-private": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "clear-or-private": our auth:null, their auth:rsasig 000 "clear-or-private": modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:set; 000 "clear-or-private": labeled_ipsec:no; 000 "clear-or-private": policy_label:unset; 000 "clear-or-private": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "clear-or-private": retransmit-interval: 15000ms; retransmit-timeout: 60s; 000 "clear-or-private": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "clear-or-private": policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS; 000 "clear-or-private": conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "clear-or-private": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "clear-or-private": our idtype: ID_NULL; our id=ID_NULL; their idtype: %fromcert; their id=%fromcert 000 "clear-or-private": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "clear-or-private": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "private": 192.1.3.33[ID_NULL,+MC+CAT+S=C]---192.1.3.254...%opportunisticgroup[%fromcert]; unrouted; eroute owner: #0 000 "private": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "private": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "private": our auth:null, their auth:rsasig 000 "private": modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:set; 000 "private": labeled_ipsec:no; 000 "private": policy_label:unset; 000 "private": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "private": retransmit-interval: 15000ms; retransmit-timeout: 60s; 000 "private": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "private": policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failureDROP; 000 "private": conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "private": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "private": our idtype: ID_NULL; our id=ID_NULL; their idtype: %fromcert; their id=%fromcert 000 "private": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "private": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "private-or-clear": 192.1.3.33[ID_NULL,+MC+CAT+S=C]---192.1.3.254...%opportunisticgroup[%fromcert]; unrouted; eroute owner: #0 000 "private-or-clear": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "private-or-clear": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "private-or-clear": our auth:null, their auth:rsasig 000 "private-or-clear": modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:set; 000 "private-or-clear": labeled_ipsec:no; 000 "private-or-clear": policy_label:unset; 000 "private-or-clear": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "private-or-clear": retransmit-interval: 15000ms; retransmit-timeout: 60s; 000 "private-or-clear": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "private-or-clear": policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS; 000 "private-or-clear": conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "private-or-clear": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "private-or-clear": our idtype: ID_NULL; our id=ID_NULL; their idtype: %fromcert; their id=%fromcert 000 "private-or-clear": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "private-or-clear": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "private-or-clear#192.1.2.0/24": 192.1.3.33[ID_NULL,+MC+CAT+S=C]---192.1.3.254...%opportunistic[%fromcert]===192.1.2.0/24; prospective erouted; eroute owner: #0 000 "private-or-clear#192.1.2.0/24": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "private-or-clear#192.1.2.0/24": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "private-or-clear#192.1.2.0/24": our auth:null, their auth:rsasig 000 "private-or-clear#192.1.2.0/24": modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:set; 000 "private-or-clear#192.1.2.0/24": labeled_ipsec:no; 000 "private-or-clear#192.1.2.0/24": policy_label:unset; 000 "private-or-clear#192.1.2.0/24": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "private-or-clear#192.1.2.0/24": retransmit-interval: 15000ms; retransmit-timeout: 60s; 000 "private-or-clear#192.1.2.0/24": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "private-or-clear#192.1.2.0/24": policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS; 000 "private-or-clear#192.1.2.0/24": conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "private-or-clear#192.1.2.0/24": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "private-or-clear#192.1.2.0/24": our idtype: ID_NULL; our id=ID_NULL; their idtype: %fromcert; their id=%fromcert 000 "private-or-clear#192.1.2.0/24": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "private-or-clear#192.1.2.0/24": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "private-or-clear#192.1.2.0/24"[1]: 192.1.3.33[ID_NULL,+MC+CAT+S=C]---192.1.3.254...192.1.2.23[%fromcert]; unrouted HOLD; eroute owner: #0 000 "private-or-clear#192.1.2.0/24"[1]: oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "private-or-clear#192.1.2.0/24"[1]: xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "private-or-clear#192.1.2.0/24"[1]: our auth:null, their auth:rsasig 000 "private-or-clear#192.1.2.0/24"[1]: modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:set; 000 "private-or-clear#192.1.2.0/24"[1]: labeled_ipsec:no; 000 "private-or-clear#192.1.2.0/24"[1]: policy_label:unset; 000 "private-or-clear#192.1.2.0/24"[1]: ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "private-or-clear#192.1.2.0/24"[1]: retransmit-interval: 15000ms; retransmit-timeout: 60s; 000 "private-or-clear#192.1.2.0/24"[1]: initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "private-or-clear#192.1.2.0/24"[1]: policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS; 000 "private-or-clear#192.1.2.0/24"[1]: conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "private-or-clear#192.1.2.0/24"[1]: nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "private-or-clear#192.1.2.0/24"[1]: our idtype: ID_NULL; our id=ID_NULL; their idtype: %fromcert; their id=%fromcert 000 "private-or-clear#192.1.2.0/24"[1]: dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "private-or-clear#192.1.2.0/24"[1]: newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "private-or-clear-all": 192.1.3.33[ID_NULL,+MC+CAT+S=C]---192.1.3.254...%opportunisticgroup[%fromcert]; unrouted; eroute owner: #0 000 "private-or-clear-all": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "private-or-clear-all": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "private-or-clear-all": our auth:null, their auth:rsasig 000 "private-or-clear-all": modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:set; 000 "private-or-clear-all": labeled_ipsec:no; 000 "private-or-clear-all": policy_label:unset; 000 "private-or-clear-all": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "private-or-clear-all": retransmit-interval: 15000ms; retransmit-timeout: 60s; 000 "private-or-clear-all": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "private-or-clear-all": policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS; 000 "private-or-clear-all": conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "private-or-clear-all": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "private-or-clear-all": our idtype: ID_NULL; our id=ID_NULL; their idtype: %fromcert; their id=%fromcert 000 "private-or-clear-all": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "private-or-clear-all": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 000 Total IPsec connections: loaded 11, active 0 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(0), open(1), authenticated(0), anonymous(0) 000 IPsec SAs: total(0), authenticated(0), anonymous(0) 000 000 #3: "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23:4500 STATE_PARENT_I2 (sent v2I2, expected v2R2); EVENT_SA_REPLACE in 45s; idle; 000 #3: pending CHILD SA for "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 000 000 Bare Shunt list: 000 000 192.1.3.33/32:36404 -17-> 192.1.2.23/32:1025 => %hold 0 %acquire-netlink kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# : ==== tuc ==== kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ../bin/check-for-core.sh kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi type=AVC msg=audit(1566844133.486:265910): avc: denied { write } for pid=7504 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=295084539 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1 type=AVC msg=audit(1566844133.996:266013): avc: denied { write } for pid=8463 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=63889669 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1 type=AVC msg=audit(1566844371.178:281728): avc: denied { write } for pid=15826 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=64265215 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1 kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# : ==== end ==== kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]#