strongswan vs iked multiple subnet only the first CHILD_SA created

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

strongswan vs iked multiple subnet only the first CHILD_SA created

csszep
Hi!

When i configure multiple subnet (traffic selector) between iked an
strongswan, and iked act as initiator (active) iked create only the first
CHILD_SA.

strongswan config:

conn openbsd
        keyexchange=ikev2
        auto=add
        left=10.2.50.130
        right=10.2.50.24
        authby=secret
        type=tunnel
        dpdaction=hold

conn openbsd-subnet-1
        also=openbsd
        leftsubnet=192.0.3.0/24
        rightsubnet=192.0.2.0/24

conn openbsd-subnet-2
        also=openbsd
        leftsubnet=192.0.5.0/24
        rightsubnet=192.0.4.0/24

iked config:

ikev2 strongswan active esp \
        from 192.0.2.0/24 to 192.0.3.0/24 \
        from 192.0.4.0/24 to 192.0.5.0/24 \
        local 10.2.50.24 peer 10.2.50.130 \
        srcid 10.2.50.24 dstid 10.2.50.130 \
        psk "you-should-not-use-psk-authentication!"



After staring iked:

ikectl show sa
iked_sas: 0xf77bf267f0 rspi 0x2d3cf6edea006a61 ispi 0x8571a56c49fa05ff
10.2.50.24:500->10.2.50.130:500<IPV4/10.2.50.130>[] ESTABLISHED i nexti 0x0
pol 0xf7719fe000
  sa_childsas: 0xf757c49e00 ESP 0xcd93a0cd out 10.2.50.24:500 ->
10.2.50.130:500 (L) B=0x0 P=0xf757c49000 @0xf77bf267f0
  sa_childsas: 0xf757c49000 ESP 0xa48da310 in 10.2.50.130:500 ->
10.2.50.24:500 (LA) B=0x0 P=0xf757c49e00 @0xf77bf267f0
  sa_flows: 0xf7998fcc00 ESP out 192.0.2.0/24 -> 192.0.3.0/24 [0]@-1 (L)
@0xf77bf267f0
  sa_flows: 0xf721e58800 ESP in 192.0.3.0/24 -> 192.0.2.0/24 [0]@-1 (L)
@0xf77bf267f0
  sa_flows: 0xf752c7ac00 ESP out 192.0.4.0/24 -> 192.0.5.0/24 [0]@-1 (L)
@0xf77bf267f0
  sa_flows: 0xf721e58400 ESP in 192.0.5.0/24 -> 192.0.4.0/24 [0]@-1 (L)
@0xf77bf267f0
iked_activesas: 0xf757c49000 ESP 0xa48da310 in 10.2.50.130:500 ->
10.2.50.24:500 (LA) B=0x0 P=0xf757c49e00 @0xf77bf267f0
iked_activesas: 0xf757c49e00 ESP 0xcd93a0cd out 10.2.50.24:500 ->
10.2.50.130:500 (L) B=0x0 P=0xf757c49000 @0xf77bf267f0
iked_flows: 0xf721e58800 ESP in 192.0.3.0/24 -> 192.0.2.0/24 [0]@-1 (L)
@0xf77bf267f0
iked_flows: 0xf721e58400 ESP in 192.0.5.0/24 -> 192.0.4.0/24 [0]@-1 (L)
@0xf77bf267f0
iked_flows: 0xf7998fcc00 ESP out 192.0.2.0/24 -> 192.0.3.0/24 [0]@-1 (L)
@0xf77bf267f0
iked_flows: 0xf752c7ac00 ESP out 192.0.4.0/24 -> 192.0.5.0/24 [0]@-1 (L)
@0xf77bf267f0

ipsecctl -sa
FLOWS:
flow esp in from 192.0.3.0/24 to 192.0.2.0/24 peer 10.2.50.130 srcid IPV4/
10.2.50.24 dstid IPV4/10.2.50.130 type require
flow esp in from 192.0.5.0/24 to 192.0.4.0/24 peer 10.2.50.130 srcid IPV4/
10.2.50.24 dstid IPV4/10.2.50.130 type require
flow esp out from 192.0.2.0/24 to 192.0.3.0/24 peer 10.2.50.130 srcid IPV4/
10.2.50.24 dstid IPV4/10.2.50.130 type require
flow esp out from 192.0.4.0/24 to 192.0.5.0/24 peer 10.2.50.130 srcid IPV4/
10.2.50.24 dstid IPV4/10.2.50.130 type require

SAD:
esp tunnel from 10.2.50.130 to 10.2.50.24 spi 0xa48da310 auth hmac-sha2-256
enc aes
esp tunnel from 10.2.50.24 to 10.2.50.130 spi 0xcd93a0cd auth hmac-sha2-256
enc aes

Connections:
     openbsd:  10.2.50.130...10.2.50.24  IKEv2, dpddelay=30s
     openbsd:   local:  [10.2.50.130] uses pre-shared key authentication
     openbsd:   remote: [10.2.50.24] uses pre-shared key authentication
     openbsd:   child:  dynamic === dynamic TUNNEL, dpdaction=hold
openbsd-subnet-1:   child:  192.0.3.0/24 === 192.0.2.0/24 TUNNEL,
dpdaction=hold
openbsd-subnet-2:   child:  192.0.5.0/24 === 192.0.4.0/24 TUNNEL,
dpdaction=hold
Security Associations (1 up, 0 connecting):
     openbsd[2]: ESTABLISHED 42 seconds ago,
10.2.50.130[10.2.50.130]...10.2.50.24[10.2.50.24]
     openbsd[2]: IKEv2 SPIs: 8571a56c49fa05ff_i 2d3cf6edea006a61_r*,
pre-shared key reauthentication in 2 hours
     openbsd[2]: IKE proposal:
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
openbsd-subnet-1{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd93a0cd_i
a48da310_o
openbsd-subnet-1{1}:  AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o,
rekeying in 44 minutes
openbsd-subnet-1{1}:   192.0.3.0/24 === 192.0.2.0/24


Log:

iked -dvv
create_ike: using unknown for peer 10.2.50.130
ikev2 "strongswan" active tunnel esp inet from 192.0.2.0/24 to 192.0.3.0/24
from 192.0.4.0/24 to 192.0.5.0/24 local 10.2.50.24 peer 10.2.50.130 ikesa
enc aes-128-gcm,aes-256-gcm prf
hmac-sha2-512,hmac-sha2-384,hmac-sha2-256,hmac-sha1 group
curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024
ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth
hmac-sha2-256,hmac-sha1 group
curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024
childsa enc aes-128-gcm,aes-256-gcm esn,noesn childsa enc
aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 esn,noesn srcid
10.2.50.24 dstid 10.2.50.130 lifetime 10800 bytes 536870912 psk
0x796f752d73686f756c642d6e6f742d7573652d70736b2d61757468656e7469636174696f6e21
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1191
ca_pubkey_serialize: type RSA_KEY length 270
config_getpolicy: received policy
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1191
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getmobike: mobike
config_getfragmentation: no fragmentation
config_getnattport: nattport 4500
ca_reload: local cert type RSA_KEY
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
ikev2_init_ike_sa: initiating "strongswan"
ikev2_policy2id: srcid IPV4/10.2.50.24 length 8
ikev2_add_proposals: length 292
ikev2_next_payload: length 296 nextpayload KE
ikev2_next_payload: length 40 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0xe50ba39bb72a1b5b 0x0000000000000000
10.2.50.24:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0xe50ba39bb72a1b5b
0x0000000000000000 10.2.50.130:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0xe50ba39bb72a1b5b rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
470 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 296
ikev2_pld_sa: more 2 reserved 0 length 136 proposal #1 protoid IKE spisize
0 xforms 15 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 0 reserved 0 length 156 proposal #2 protoid IKE spisize
0 xforms 17 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 40
ikev2_pld_ke: dh group CURVE25519 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
spi=0xe50ba39bb72a1b5b: send IKE_SA_INIT req 0 peer 10.2.50.130:500 local
10.2.50.24:500, 470 bytes
spi=0xe50ba39bb72a1b5b: sa_state: INIT -> SA_INIT
spi=0xe50ba39bb72a1b5b: recv IKE_SA_INIT res 0 peer 10.2.50.130:500 local
10.2.50.24:500, 38 bytes, policy 'strongswan'
ikev2_recv: ispi 0xe50ba39bb72a1b5b rspi 0x0000000000000000
ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
ikev2_policy2id: srcid IPV4/10.2.50.24 length 8
ikev2_pld_parse: header ispi 0xe50ba39bb72a1b5b rspi 0x0000000000000000
nextpayload NOTIFY version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0
length 38 response 1
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 10
ikev2_pld_notify: protoid NONE spisize 0 type INVALID_KE_PAYLOAD
ikev2_handle_notifies: responder selected DH group 19
spi=0xe50ba39bb72a1b5b: sa_state: SA_INIT -> CLOSED from 10.2.50.130:500 to
10.2.50.24:500 policy 'strongswan'
ikev2_recv: closing SA
spi=0xe50ba39bb72a1b5b: sa_free: reinitiating with new DH group
ikev2_init_ike_sa: initiating "strongswan"
ikev2_policy2id: srcid IPV4/10.2.50.24 length 8
ikev2_add_proposals: length 292
ikev2_next_payload: length 296 nextpayload KE
ikev2_next_payload: length 72 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x8571a56c49fa05ff 0x0000000000000000
10.2.50.24:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x8571a56c49fa05ff
0x0000000000000000 10.2.50.130:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
502 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 296
ikev2_pld_sa: more 2 reserved 0 length 136 proposal #1 protoid IKE spisize
0 xforms 15 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 0 reserved 0 length 156 proposal #2 protoid IKE spisize
0 xforms 17 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 72
ikev2_pld_ke: dh group ECP_256 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
spi=0x8571a56c49fa05ff: send IKE_SA_INIT req 0 peer 10.2.50.130:500 local
10.2.50.24:500, 502 bytes
spi=0x8571a56c49fa05ff: sa_state: INIT -> SA_INIT
spi=0x8571a56c49fa05ff: recv IKE_SA_INIT res 0 peer 10.2.50.130:500 local
10.2.50.24:500, 262 bytes, policy 'strongswan'
ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
ikev2_policy2id: srcid IPV4/10.2.50.24 length 8
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length
262 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #2 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_256
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 72
ikev2_pld_ke: dh group ECP_256 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x8571a56c49fa05ff 0x2d3cf6edea006a61
10.2.50.130:500
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x8571a56c49fa05ff 0x2d3cf6edea006a61
10.2.50.24:500
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_pld_notify: signature hash SHA2_256 (2)
ikev2_pld_notify: signature hash SHA2_384 (3)
ikev2_pld_notify: signature hash SHA2_512 (4)
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type MULTIPLE_AUTH_SUPPORTED
proposals_negotiate: score 0
proposals_negotiate: score 16
sa_stateok: SA_INIT flags 0x0000, require 0x0008 auth
spi=0x8571a56c49fa05ff: ikev2_sa_keys: DHSECRET with 32 bytes
ikev2_sa_keys: SKEYSEED with 32 bytes
spi=0x8571a56c49fa05ff: ikev2_sa_keys: S with 80 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: Tn with 192 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 16 bytes
ikev2_sa_keys: SK_er with 16 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_msg_auth: initiator auth data length 566
sa_stateok: SA_INIT flags 0x0008, require 0x0008 auth
ikev2_next_payload: length 12 nextpayload AUTH
ikev2_next_payload: length 40 nextpayload SA
pfkey_sa_getspi: spi 0xa48da310
pfkey_sa_init: new spi 0xa48da310
ikev2_add_proposals: length 132
ikev2_next_payload: length 136 nextpayload TSi
ikev2_next_payload: length 40 nextpayload TSr
ikev2_next_payload: length 40 nextpayload NONE
ikev2_next_payload: length 308 nextpayload IDi
ikev2_msg_encrypt: decrypted length 268
ikev2_msg_encrypt: padded length 272
ikev2_msg_encrypt: length 269, padding 3, output length 304
ikev2_msg_integr: message length 336
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 336
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 308
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 272
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 272/272 padding 3
ikev2_pld_payloads: decrypted payload IDi nextpayload AUTH critical 0x00
length 12
ikev2_pld_id: id IPV4/10.2.50.24 length 8
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00
length 40
ikev2_pld_auth: method SHARED_KEY_MIC length 32
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 136
ikev2_pld_sa: more 2 reserved 0 length 52 proposal #1 protoid ESP spisize 4
xforms 4 spi 0xa48da310
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_sa: more 0 reserved 0 length 80 proposal #2 protoid ESP spisize 4
xforms 7 spi 0xa48da310
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 40
ikev2_pld_ts: count 2 length 32
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.2.0 end 192.0.2.255
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.4.0 end 192.0.4.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 40
ikev2_pld_ts: count 2 length 32
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.3.0 end 192.0.3.255
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.5.0 end 192.0.5.255
spi=0x8571a56c49fa05ff: send IKE_AUTH req 1 peer 10.2.50.130:500 local
10.2.50.24:500, 336 bytes
config_free_proposals: free 0xf757c4a200
spi=0x8571a56c49fa05ff: recv IKE_AUTH res 1 peer 10.2.50.130:500 local
10.2.50.24:500, 224 bytes, policy 'strongswan'
ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 224
response 1
ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 196
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 160
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 160/160 padding 3
ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00
length 12
ikev2_pld_id: id IPV4/10.2.50.130 length 8
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00
length 40
ikev2_pld_auth: method SHARED_KEY_MIC length 32
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #2 protoid ESP spisize 4
xforms 3 spi 0xcd93a0cd
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.2.0 end 192.0.2.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.3.0 end 192.0.3.255
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00
length 12
ikev2_pld_notify: protoid NONE spisize 0 type AUTH_LIFETIME
spi=0x8571a56c49fa05ff: sa_state: SA_INIT -> AUTH_REQUEST
proposals_negotiate: score 0
proposals_negotiate: score 10
sa_stateflags: 0x0008 -> 0x0028 auth,sa (required 0x0030 authvalid,sa)
ikev2_msg_auth: responder auth data length 326
ikev2_msg_authverify: method SHARED_KEY_MIC keylen 32 type NONE
ikev2_msg_authverify: authentication successful
spi=0x8571a56c49fa05ff: sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x0028 -> 0x0038 auth,authvalid,sa (required 0x0030
authvalid,sa)
sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa
spi=0x8571a56c49fa05ff: sa_state: AUTH_SUCCESS -> VALID
sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa
sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa
ikev2_sa_tag:  (0)
ikev2_childsa_negotiate: proposal 2
ikev2_childsa_negotiate: key material length 96
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: Tn with 96 bytes
pfkey_sa_add: add spi 0xcd93a0cd
ikev2_childsa_enable: loaded CHILD SA spi 0xcd93a0cd
pfkey_sa_add: update spi 0xa48da310
ikev2_childsa_enable: loaded CHILD SA spi 0xa48da310
ikev2_childsa_enable: loaded flow 0xf7998fcc00
ikev2_childsa_enable: loaded flow 0xf721e58800
ikev2_childsa_enable: loaded flow 0xf752c7ac00
ikev2_childsa_enable: loaded flow 0xf721e58400
ikev2_childsa_enable: remember SA peer 10.2.50.130:500
spi=0x8571a56c49fa05ff: ikev2_childsa_enable: loaded SPIs: 0xcd93a0cd,
0xa48da310
spi=0x8571a56c49fa05ff: ikev2_childsa_enable: loaded flows:
ESP-192.0.2.0/24=192.0.3.0/24(0), ESP-192.0.4.0/24=192.0.5.0/24(0)
spi=0x8571a56c49fa05ff: sa_state: VALID -> ESTABLISHED from 10.2.50.130:500
to 10.2.50.24:500 policy 'strongswan'
spi=0x8571a56c49fa05ff: established peer 10.2.50.130:500[IPV4/10.2.50.130]
local 10.2.50.24:500[IPV4/10.2.50.24] policy 'strongswan' as initiator
config_free_proposals: free 0xf757c4ab00

2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[NET] received packet: from
10.2.50.24[500] to 10.2.50.130[500] (470 bytes)
2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[IKE] 10.2.50.24 is initiating
an IKE_SA
2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[IKE] 10.2.50.24 is initiating
an IKE_SA
2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[IKE] DH group CURVE_25519
unacceptable, requesting ECP_256
2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[ENC] generating IKE_SA_INIT
response 0 [ N(INVAL_KE) ]
2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[NET] sending packet: from
10.2.50.130[500] to 10.2.50.24[500] (38 bytes)
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[NET] received packet: from
10.2.50.24[500] to 10.2.50.130[500] (502 bytes)
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[IKE] 10.2.50.24 is initiating
an IKE_SA
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[IKE] 10.2.50.24 is initiating
an IKE_SA
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[NET] sending packet: from
10.2.50.130[500] to 10.2.50.24[500] (262 bytes)
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[NET] received packet: from
10.2.50.24[500] to 10.2.50.130[500] (336 bytes)
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[ENC] parsed IKE_AUTH request
1 [ IDi AUTH SA TSi TSr ]
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[CFG] looking for peer configs
matching 10.2.50.130[%any]...10.2.50.24[10.2.50.24]
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[CFG] selected peer config
'openbsd'
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] authentication of
'10.2.50.24' with pre-shared key successful
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] authentication of
'10.2.50.130' (myself) with pre-shared key
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] IKE_SA openbsd[2]
established between 10.2.50.130[10.2.50.130]...10.2.50.24[10.2.50.24]
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] IKE_SA openbsd[2]
established between 10.2.50.130[10.2.50.130]...10.2.50.24[10.2.50.24]
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] scheduling
reauthentication in 10045s
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] maximum IKE_SA lifetime
10585s
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[CFG] selected proposal:
ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] CHILD_SA
openbsd-subnet-1{1} established with SPIs cd93a0cd_i a48da310_o and TS
192.0.3.0/24 === 192.0.2.0/24
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] CHILD_SA
openbsd-subnet-1{1} established with SPIs cd93a0cd_i a48da310_o and TS
192.0.3.0/24 === 192.0.2.0/24
2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[ENC] generating IKE_AUTH
response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]


If i initiate by hand the second CHILD_SA from strongswan, it works:


ipsec up openbsd-subnet-2

establishing CHILD_SA openbsd-subnet-2{2}
generating CREATE_CHILD_SA request 16 [ SA No TSi TSr ]
sending packet: from 10.2.50.130[500] to 10.2.50.24[500] (256 bytes)
received packet: from 10.2.50.24[500] to 10.2.50.130[500] (240 bytes)
parsed CREATE_CHILD_SA response 16 [ SA No TSi TSr ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
CHILD_SA openbsd-subnet-2{2} established with SPIs c9be082b_i efe9920e_o
and TS 192.0.5.0/24 === 192.0.4.0/24
connection 'openbsd-subnet-2' established successfully

ikectl show sa
iked_sas: 0xf77bf267f0 rspi 0x2d3cf6edea006a61 ispi 0x8571a56c49fa05ff
10.2.50.24:500->10.2.50.130:500<IPV4/10.2.50.130>[] ESTABLISHED i nexti 0x0
pol 0xf7719fe000
  sa_childsas: 0xf757c49e00 ESP 0xcd93a0cd out 10.2.50.24:500 ->
10.2.50.130:500 (L) B=0x0 P=0xf757c49000 @0xf77bf267f0
  sa_childsas: 0xf757c49000 ESP 0xa48da310 in 10.2.50.130:500 ->
10.2.50.24:500 (LA) B=0x0 P=0xf757c49e00 @0xf77bf267f0
  sa_childsas: 0xf7a68f2000 ESP 0xefe9920e in 10.2.50.130:500 ->
10.2.50.24:500 (LA) B=0x0 P=0xf757c49800 @0xf77bf267f0
  sa_childsas: 0xf757c49800 ESP 0xc9be082b out 10.2.50.24:500 ->
10.2.50.130:500 (L) B=0x0 P=0xf7a68f2000 @0xf77bf267f0
  sa_flows: 0xf7998fcc00 ESP out 192.0.2.0/24 -> 192.0.3.0/24 [0]@-1 (L)
@0xf77bf267f0
  sa_flows: 0xf721e58800 ESP in 192.0.3.0/24 -> 192.0.2.0/24 [0]@-1 (L)
@0xf77bf267f0
  sa_flows: 0xf752c7ac00 ESP out 192.0.4.0/24 -> 192.0.5.0/24 [0]@-1 (L)
@0xf77bf267f0
  sa_flows: 0xf721e58400 ESP in 192.0.5.0/24 -> 192.0.4.0/24 [0]@-1 (L)
@0xf77bf267f0
iked_activesas: 0xf757c49000 ESP 0xa48da310 in 10.2.50.130:500 ->
10.2.50.24:500 (LA) B=0x0 P=0xf757c49e00 @0xf77bf267f0
iked_activesas: 0xf757c49800 ESP 0xc9be082b out 10.2.50.24:500 ->
10.2.50.130:500 (L) B=0x0 P=0xf7a68f2000 @0xf77bf267f0
iked_activesas: 0xf757c49e00 ESP 0xcd93a0cd out 10.2.50.24:500 ->
10.2.50.130:500 (L) B=0x0 P=0xf757c49000 @0xf77bf267f0
iked_activesas: 0xf7a68f2000 ESP 0xefe9920e in 10.2.50.130:500 ->
10.2.50.24:500 (LA) B=0x0 P=0xf757c49800 @0xf77bf267f0
iked_flows: 0xf721e58800 ESP in 192.0.3.0/24 -> 192.0.2.0/24 [0]@-1 (L)
@0xf77bf267f0
iked_flows: 0xf721e58400 ESP in 192.0.5.0/24 -> 192.0.4.0/24 [0]@-1 (L)
@0xf77bf267f0
iked_flows: 0xf7998fcc00 ESP out 192.0.2.0/24 -> 192.0.3.0/24 [0]@-1 (L)
@0xf77bf267f0
iked_flows: 0xf752c7ac00 ESP out 192.0.4.0/24 -> 192.0.5.0/24 [0]@-1 (L)
@0xf77bf267f0

ipsecctl -sa
FLOWS:
flow esp in from 192.0.3.0/24 to 192.0.2.0/24 peer 10.2.50.130 srcid IPV4/
10.2.50.24 dstid IPV4/10.2.50.130 type require
flow esp in from 192.0.5.0/24 to 192.0.4.0/24 peer 10.2.50.130 srcid IPV4/
10.2.50.24 dstid IPV4/10.2.50.130 type require
flow esp out from 192.0.2.0/24 to 192.0.3.0/24 peer 10.2.50.130 srcid IPV4/
10.2.50.24 dstid IPV4/10.2.50.130 type require
flow esp out from 192.0.4.0/24 to 192.0.5.0/24 peer 10.2.50.130 srcid IPV4/
10.2.50.24 dstid IPV4/10.2.50.130 type require

SAD:
esp tunnel from 10.2.50.130 to 10.2.50.24 spi 0xa48da310 auth hmac-sha2-256
enc aes
esp tunnel from 10.2.50.24 to 10.2.50.130 spi 0xc9be082b auth hmac-sha2-256
enc aes-256
esp tunnel from 10.2.50.24 to 10.2.50.130 spi 0xcd93a0cd auth hmac-sha2-256
enc aes
esp tunnel from 10.2.50.130 to 10.2.50.24 spi 0xefe9920e auth hmac-sha2-256
enc aes-256


log:

spi=0x8571a56c49fa05ff: recv CREATE_CHILD_SA req 16 peer 10.2.50.130:500
local 10.2.50.24:500, 256 bytes, policy 'strongswan'
ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange CREATE_CHILD_SA flags 0x00 msgid 16
length 256 response 0
ikev2_pld_payloads: payload SK nextpayload SA critical 0x00 length 228
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 192
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 192/192 padding 7
ikev2_pld_payloads: decrypted payload SA nextpayload NONCE critical 0x00
length 100
ikev2_pld_sa: more 0 reserved 0 length 96 proposal #1 protoid ESP spisize 4
xforms 9 spi 0xc9be082b
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id AES_XCBC_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload NONCE nextpayload TSi critical 0x00
length 36
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.5.0 end 192.0.5.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.4.0 end 192.0.4.255
ikev2_resp_create_child_sa: creating new ESP SA
proposals_negotiate: score 0
proposals_negotiate: score 4
sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa
ikev2_sa_tag:  (0)
ikev2_childsa_negotiate: proposal 1
ikev2_childsa_negotiate: key material length 128
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: Tn with 128 bytes
pfkey_sa_getspi: spi 0xefe9920e
pfkey_sa_init: new spi 0xefe9920e
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload TSi
ikev2_next_payload: length 40 nextpayload TSr
ikev2_next_payload: length 40 nextpayload NONE
ikev2_next_payload: length 212 nextpayload SA
ikev2_msg_encrypt: decrypted length 160
ikev2_msg_encrypt: padded length 176
ikev2_msg_encrypt: length 161, padding 15, output length 208
ikev2_msg_integr: message length 240
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange CREATE_CHILD_SA flags 0x28 msgid 16
length 240 response 1
ikev2_pld_payloads: payload SK nextpayload SA critical 0x00 length 212
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 176
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 176/176 padding 15
ikev2_pld_payloads: decrypted payload SA nextpayload NONCE critical 0x00
length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4
xforms 3 spi 0xefe9920e
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload NONCE nextpayload TSi critical 0x00
length 36
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 40
ikev2_pld_ts: count 2 length 32
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.3.0 end 192.0.3.255
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.5.0 end 192.0.5.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 40
ikev2_pld_ts: count 2 length 32
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.2.0 end 192.0.2.255
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.4.0 end 192.0.4.255
spi=0x8571a56c49fa05ff: send CREATE_CHILD_SA res 16 peer 10.2.50.130:500
local 10.2.50.24:500, 240 bytes
pfkey_sa_add: update spi 0xefe9920e
ikev2_childsa_enable: loaded CHILD SA spi 0xefe9920e
pfkey_sa_add: add spi 0xc9be082b
ikev2_childsa_enable: loaded CHILD SA spi 0xc9be082b
ikev2_childsa_enable: flow already loaded 0xf7998fcc00
ikev2_childsa_enable: flow already loaded 0xf721e58800
ikev2_childsa_enable: flow already loaded 0xf752c7ac00
ikev2_childsa_enable: flow already loaded 0xf721e58400
spi=0x8571a56c49fa05ff: ikev2_childsa_enable: loaded SPIs: 0xefe9920e,
0xc9be082b
config_free_proposals: free 0xf72ed4f000
config_free_proposals: free 0xf72ed4fa00
spi=0x8571a56c49fa05ff: recv INFORMATIONAL req 17 peer 10.2.50.130:500
local 10.2.50.24:500, 80 bytes, policy 'strongswan'
ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 17
length 80 response 0
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
ikev2_next_payload: length 52 nextpayload NONE
ikev2_msg_encrypt: decrypted length 0
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 1, padding 15, output length 48
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 17
length 80 response 1
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
spi=0x8571a56c49fa05ff: send INFORMATIONAL res 17 peer 10.2.50.130:500
local 10.2.50.24:500, 80 bytes
ikev2_init_ike_sa: "strongswan" is already active
spi=0x8571a56c49fa05ff: recv INFORMATIONAL req 18 peer 10.2.50.130:500
local 10.2.50.24:500, 80 bytes, policy 'strongswan'
ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 18
length 80 response 0
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
ikev2_next_payload: length 52 nextpayload NONE
ikev2_msg_encrypt: decrypted length 0
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 1, padding 15, output length 48
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 18
length 80 response 1
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
spi=0x8571a56c49fa05ff: send INFORMATIONAL res 18 peer 10.2.50.130:500
local 10.2.50.24:500, 80 bytes
spi=0x8571a56c49fa05ff: recv INFORMATIONAL req 19 peer 10.2.50.130:500
local 10.2.50.24:500, 80 bytes, policy 'strongswan'
ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 19
length 80 response 0
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
ikev2_next_payload: length 52 nextpayload NONE
ikev2_msg_encrypt: decrypted length 0
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 1, padding 15, output length 48
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 19
length 80 response 1
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
spi=0x8571a56c49fa05ff: send INFORMATIONAL res 19 peer 10.2.50.130:500
local 10.2.50.24:500, 80 bytes
ikev2_init_ike_sa: "strongswan" is already active
spi=0x8571a56c49fa05ff: recv INFORMATIONAL req 20 peer 10.2.50.130:500
local 10.2.50.24:500, 80 bytes, policy 'strongswan'
ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 20
length 80 response 0
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
ikev2_next_payload: length 52 nextpayload NONE
ikev2_msg_encrypt: decrypted length 0
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 1, padding 15, output length 48
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 20
length 80 response 1
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
spi=0x8571a56c49fa05ff: send INFORMATIONAL res 20 peer 10.2.50.130:500
local 10.2.50.24:500, 80 bytes
Reply | Threaded
Open this post in threaded view
|

Re: strongswan vs iked multiple subnet only the first CHILD_SA created

csszep
Hi!

dmesg missing...

OpenBSD 6.7-current (GENERIC.MP) #379: Thu Jul 30 10:54:47 MDT 2020
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP

csszep <[hidden email]> ezt írta (időpont: 2020. júl. 31., P, 9:39):

> Hi!
>
> When i configure multiple subnet (traffic selector) between iked an
> strongswan, and iked act as initiator (active) iked create only the first
> CHILD_SA.
>
> strongswan config:
>
> conn openbsd
>         keyexchange=ikev2
>         auto=add
>         left=10.2.50.130
>         right=10.2.50.24
>         authby=secret
>         type=tunnel
>         dpdaction=hold
>
> conn openbsd-subnet-1
>         also=openbsd
>         leftsubnet=192.0.3.0/24
>         rightsubnet=192.0.2.0/24
>
> conn openbsd-subnet-2
>         also=openbsd
>         leftsubnet=192.0.5.0/24
>         rightsubnet=192.0.4.0/24
>
> iked config:
>
> ikev2 strongswan active esp \
>         from 192.0.2.0/24 to 192.0.3.0/24 \
>         from 192.0.4.0/24 to 192.0.5.0/24 \
>         local 10.2.50.24 peer 10.2.50.130 \
>         srcid 10.2.50.24 dstid 10.2.50.130 \
>         psk "you-should-not-use-psk-authentication!"
>
>
>
> After staring iked:
>
> ikectl show sa
> iked_sas: 0xf77bf267f0 rspi 0x2d3cf6edea006a61 ispi 0x8571a56c49fa05ff
> 10.2.50.24:500->10.2.50.130:500<IPV4/10.2.50.130>[] ESTABLISHED i nexti
> 0x0 pol 0xf7719fe000
>   sa_childsas: 0xf757c49e00 ESP 0xcd93a0cd out 10.2.50.24:500 ->
> 10.2.50.130:500 (L) B=0x0 P=0xf757c49000 @0xf77bf267f0
>   sa_childsas: 0xf757c49000 ESP 0xa48da310 in 10.2.50.130:500 ->
> 10.2.50.24:500 (LA) B=0x0 P=0xf757c49e00 @0xf77bf267f0
>   sa_flows: 0xf7998fcc00 ESP out 192.0.2.0/24 -> 192.0.3.0/24 [0]@-1 (L)
> @0xf77bf267f0
>   sa_flows: 0xf721e58800 ESP in 192.0.3.0/24 -> 192.0.2.0/24 [0]@-1 (L)
> @0xf77bf267f0
>   sa_flows: 0xf752c7ac00 ESP out 192.0.4.0/24 -> 192.0.5.0/24 [0]@-1 (L)
> @0xf77bf267f0
>   sa_flows: 0xf721e58400 ESP in 192.0.5.0/24 -> 192.0.4.0/24 [0]@-1 (L)
> @0xf77bf267f0
> iked_activesas: 0xf757c49000 ESP 0xa48da310 in 10.2.50.130:500 ->
> 10.2.50.24:500 (LA) B=0x0 P=0xf757c49e00 @0xf77bf267f0
> iked_activesas: 0xf757c49e00 ESP 0xcd93a0cd out 10.2.50.24:500 ->
> 10.2.50.130:500 (L) B=0x0 P=0xf757c49000 @0xf77bf267f0
> iked_flows: 0xf721e58800 ESP in 192.0.3.0/24 -> 192.0.2.0/24 [0]@-1 (L)
> @0xf77bf267f0
> iked_flows: 0xf721e58400 ESP in 192.0.5.0/24 -> 192.0.4.0/24 [0]@-1 (L)
> @0xf77bf267f0
> iked_flows: 0xf7998fcc00 ESP out 192.0.2.0/24 -> 192.0.3.0/24 [0]@-1 (L)
> @0xf77bf267f0
> iked_flows: 0xf752c7ac00 ESP out 192.0.4.0/24 -> 192.0.5.0/24 [0]@-1 (L)
> @0xf77bf267f0
>
> ipsecctl -sa
> FLOWS:
> flow esp in from 192.0.3.0/24 to 192.0.2.0/24 peer 10.2.50.130 srcid IPV4/
> 10.2.50.24 dstid IPV4/10.2.50.130 type require
> flow esp in from 192.0.5.0/24 to 192.0.4.0/24 peer 10.2.50.130 srcid IPV4/
> 10.2.50.24 dstid IPV4/10.2.50.130 type require
> flow esp out from 192.0.2.0/24 to 192.0.3.0/24 peer 10.2.50.130 srcid
> IPV4/10.2.50.24 dstid IPV4/10.2.50.130 type require
> flow esp out from 192.0.4.0/24 to 192.0.5.0/24 peer 10.2.50.130 srcid
> IPV4/10.2.50.24 dstid IPV4/10.2.50.130 type require
>
> SAD:
> esp tunnel from 10.2.50.130 to 10.2.50.24 spi 0xa48da310 auth
> hmac-sha2-256 enc aes
> esp tunnel from 10.2.50.24 to 10.2.50.130 spi 0xcd93a0cd auth
> hmac-sha2-256 enc aes
>
> Connections:
>      openbsd:  10.2.50.130...10.2.50.24  IKEv2, dpddelay=30s
>      openbsd:   local:  [10.2.50.130] uses pre-shared key authentication
>      openbsd:   remote: [10.2.50.24] uses pre-shared key authentication
>      openbsd:   child:  dynamic === dynamic TUNNEL, dpdaction=hold
> openbsd-subnet-1:   child:  192.0.3.0/24 === 192.0.2.0/24 TUNNEL,
> dpdaction=hold
> openbsd-subnet-2:   child:  192.0.5.0/24 === 192.0.4.0/24 TUNNEL,
> dpdaction=hold
> Security Associations (1 up, 0 connecting):
>      openbsd[2]: ESTABLISHED 42 seconds ago,
> 10.2.50.130[10.2.50.130]...10.2.50.24[10.2.50.24]
>      openbsd[2]: IKEv2 SPIs: 8571a56c49fa05ff_i 2d3cf6edea006a61_r*,
> pre-shared key reauthentication in 2 hours
>      openbsd[2]: IKE proposal:
> AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
> openbsd-subnet-1{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd93a0cd_i
> a48da310_o
> openbsd-subnet-1{1}:  AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o,
> rekeying in 44 minutes
> openbsd-subnet-1{1}:   192.0.3.0/24 === 192.0.2.0/24
>
>
> Log:
>
> iked -dvv
> create_ike: using unknown for peer 10.2.50.130
> ikev2 "strongswan" active tunnel esp inet from 192.0.2.0/24 to
> 192.0.3.0/24 from 192.0.4.0/24 to 192.0.5.0/24 local 10.2.50.24 peer
> 10.2.50.130 ikesa enc aes-128-gcm,aes-256-gcm prf
> hmac-sha2-512,hmac-sha2-384,hmac-sha2-256,hmac-sha1 group
> curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024
> ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth
> hmac-sha2-256,hmac-sha1 group
> curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024
> childsa enc aes-128-gcm,aes-256-gcm esn,noesn childsa enc
> aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 esn,noesn srcid
> 10.2.50.24 dstid 10.2.50.130 lifetime 10800 bytes 536870912 psk
> 0x796f752d73686f756c642d6e6f742d7573652d70736b2d61757468656e7469636174696f6e21
> /etc/iked.conf: loaded 1 configuration rules
> ca_privkey_serialize: type RSA_KEY length 1191
> ca_pubkey_serialize: type RSA_KEY length 270
> config_getpolicy: received policy
> ca_privkey_to_method: type RSA_KEY method RSA_SIG
> ca_getkey: received private key type RSA_KEY length 1191
> ca_getkey: received public key type RSA_KEY length 270
> ca_dispatch_parent: config reset
> config_getpfkey: received pfkey fd 3
> config_getcompile: compilation done
> config_getsocket: received socket fd 4
> config_getsocket: received socket fd 5
> config_getsocket: received socket fd 6
> config_getsocket: received socket fd 7
> config_getmobike: mobike
> config_getfragmentation: no fragmentation
> config_getnattport: nattport 4500
> ca_reload: local cert type RSA_KEY
> config_getocsp: ocsp_url none
> ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
> ikev2_init_ike_sa: initiating "strongswan"
> ikev2_policy2id: srcid IPV4/10.2.50.24 length 8
> ikev2_add_proposals: length 292
> ikev2_next_payload: length 296 nextpayload KE
> ikev2_next_payload: length 40 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload NOTIFY
> ikev2_nat_detection: local source 0xe50ba39bb72a1b5b 0x0000000000000000
> 10.2.50.24:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local destination 0xe50ba39bb72a1b5b
> 0x0000000000000000 10.2.50.130:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_next_payload: length 14 nextpayload NONE
> ikev2_pld_parse: header ispi 0xe50ba39bb72a1b5b rspi 0x0000000000000000
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
> 470 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 296
> ikev2_pld_sa: more 2 reserved 0 length 136 proposal #1 protoid IKE spisize
> 0 xforms 15 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
> ikev2_pld_sa: more 0 reserved 0 length 156 proposal #2 protoid IKE spisize
> 0 xforms 17 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 40
> ikev2_pld_ke: dh group CURVE25519 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length
> 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> spi=0xe50ba39bb72a1b5b: send IKE_SA_INIT req 0 peer 10.2.50.130:500 local
> 10.2.50.24:500, 470 bytes
> spi=0xe50ba39bb72a1b5b: sa_state: INIT -> SA_INIT
> spi=0xe50ba39bb72a1b5b: recv IKE_SA_INIT res 0 peer 10.2.50.130:500 local
> 10.2.50.24:500, 38 bytes, policy 'strongswan'
> ikev2_recv: ispi 0xe50ba39bb72a1b5b rspi 0x0000000000000000
> ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
> ikev2_policy2id: srcid IPV4/10.2.50.24 length 8
> ikev2_pld_parse: header ispi 0xe50ba39bb72a1b5b rspi 0x0000000000000000
> nextpayload NOTIFY version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0
> length 38 response 1
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 10
> ikev2_pld_notify: protoid NONE spisize 0 type INVALID_KE_PAYLOAD
> ikev2_handle_notifies: responder selected DH group 19
> spi=0xe50ba39bb72a1b5b: sa_state: SA_INIT -> CLOSED from 10.2.50.130:500
> to 10.2.50.24:500 policy 'strongswan'
> ikev2_recv: closing SA
> spi=0xe50ba39bb72a1b5b: sa_free: reinitiating with new DH group
> ikev2_init_ike_sa: initiating "strongswan"
> ikev2_policy2id: srcid IPV4/10.2.50.24 length 8
> ikev2_add_proposals: length 292
> ikev2_next_payload: length 296 nextpayload KE
> ikev2_next_payload: length 72 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload NOTIFY
> ikev2_nat_detection: local source 0x8571a56c49fa05ff 0x0000000000000000
> 10.2.50.24:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local destination 0x8571a56c49fa05ff
> 0x0000000000000000 10.2.50.130:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_next_payload: length 14 nextpayload NONE
> ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x0000000000000000
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
> 502 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 296
> ikev2_pld_sa: more 2 reserved 0 length 136 proposal #1 protoid IKE spisize
> 0 xforms 15 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
> ikev2_pld_sa: more 0 reserved 0 length 156 proposal #2 protoid IKE spisize
> 0 xforms 17 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 72
> ikev2_pld_ke: dh group ECP_256 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length
> 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> spi=0x8571a56c49fa05ff: send IKE_SA_INIT req 0 peer 10.2.50.130:500 local
> 10.2.50.24:500, 502 bytes
> spi=0x8571a56c49fa05ff: sa_state: INIT -> SA_INIT
> spi=0x8571a56c49fa05ff: recv IKE_SA_INIT res 0 peer 10.2.50.130:500 local
> 10.2.50.24:500, 262 bytes, policy 'strongswan'
> ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
> ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
> ikev2_policy2id: srcid IPV4/10.2.50.24 length 8
> ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length
> 262 response 1
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
> ikev2_pld_sa: more 0 reserved 0 length 44 proposal #2 protoid IKE spisize
> 0 xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 72
> ikev2_pld_ke: dh group ECP_256 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length
> 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_nat_detection: peer source 0x8571a56c49fa05ff 0x2d3cf6edea006a61
> 10.2.50.130:500
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_nat_detection: peer destination 0x8571a56c49fa05ff
> 0x2d3cf6edea006a61 10.2.50.24:500
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> 14
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> ikev2_pld_notify: signature hash SHA2_256 (2)
> ikev2_pld_notify: signature hash SHA2_384 (3)
> ikev2_pld_notify: signature hash SHA2_512 (4)
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type MULTIPLE_AUTH_SUPPORTED
> proposals_negotiate: score 0
> proposals_negotiate: score 16
> sa_stateok: SA_INIT flags 0x0000, require 0x0008 auth
> spi=0x8571a56c49fa05ff: ikev2_sa_keys: DHSECRET with 32 bytes
> ikev2_sa_keys: SKEYSEED with 32 bytes
> spi=0x8571a56c49fa05ff: ikev2_sa_keys: S with 80 bytes
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: T4 with 32 bytes
> ikev2_prfplus: T5 with 32 bytes
> ikev2_prfplus: T6 with 32 bytes
> ikev2_prfplus: Tn with 192 bytes
> ikev2_sa_keys: SK_d with 32 bytes
> ikev2_sa_keys: SK_ai with 32 bytes
> ikev2_sa_keys: SK_ar with 32 bytes
> ikev2_sa_keys: SK_ei with 16 bytes
> ikev2_sa_keys: SK_er with 16 bytes
> ikev2_sa_keys: SK_pi with 32 bytes
> ikev2_sa_keys: SK_pr with 32 bytes
> ikev2_msg_auth: initiator auth data length 566
> sa_stateok: SA_INIT flags 0x0008, require 0x0008 auth
> ikev2_next_payload: length 12 nextpayload AUTH
> ikev2_next_payload: length 40 nextpayload SA
> pfkey_sa_getspi: spi 0xa48da310
> pfkey_sa_init: new spi 0xa48da310
> ikev2_add_proposals: length 132
> ikev2_next_payload: length 136 nextpayload TSi
> ikev2_next_payload: length 40 nextpayload TSr
> ikev2_next_payload: length 40 nextpayload NONE
> ikev2_next_payload: length 308 nextpayload IDi
> ikev2_msg_encrypt: decrypted length 268
> ikev2_msg_encrypt: padded length 272
> ikev2_msg_encrypt: length 269, padding 3, output length 304
> ikev2_msg_integr: message length 336
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
> nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 336
> response 0
> ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 308
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 272
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 272/272 padding 3
> ikev2_pld_payloads: decrypted payload IDi nextpayload AUTH critical 0x00
> length 12
> ikev2_pld_id: id IPV4/10.2.50.24 length 8
> ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00
> length 40
> ikev2_pld_auth: method SHARED_KEY_MIC length 32
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
> length 136
> ikev2_pld_sa: more 2 reserved 0 length 52 proposal #1 protoid ESP spisize
> 4 xforms 4 spi 0xa48da310
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_sa: more 0 reserved 0 length 80 proposal #2 protoid ESP spisize
> 4 xforms 7 spi 0xa48da310
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
> length 40
> ikev2_pld_ts: count 2 length 32
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
> 65535
> ikev2_pld_ts: start 192.0.2.0 end 192.0.2.255
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
> 65535
> ikev2_pld_ts: start 192.0.4.0 end 192.0.4.255
> ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
> length 40
> ikev2_pld_ts: count 2 length 32
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
> 65535
> ikev2_pld_ts: start 192.0.3.0 end 192.0.3.255
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
> 65535
> ikev2_pld_ts: start 192.0.5.0 end 192.0.5.255
> spi=0x8571a56c49fa05ff: send IKE_AUTH req 1 peer 10.2.50.130:500 local
> 10.2.50.24:500, 336 bytes
> config_free_proposals: free 0xf757c4a200
> spi=0x8571a56c49fa05ff: recv IKE_AUTH res 1 peer 10.2.50.130:500 local
> 10.2.50.24:500, 224 bytes, policy 'strongswan'
> ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
> ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
> ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
> nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 224
> response 1
> ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 196
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 160
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 160/160 padding 3
> ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00
> length 12
> ikev2_pld_id: id IPV4/10.2.50.130 length 8
> ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00
> length 40
> ikev2_pld_auth: method SHARED_KEY_MIC length 32
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
> length 44
> ikev2_pld_sa: more 0 reserved 0 length 40 proposal #2 protoid ESP spisize
> 4 xforms 3 spi 0xcd93a0cd
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_256_128
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
> length 24
> ikev2_pld_ts: count 1 length 16
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
> 65535
> ikev2_pld_ts: start 192.0.2.0 end 192.0.2.255
> ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical 0x00
> length 24
> ikev2_pld_ts: count 1 length 16
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
> 65535
> ikev2_pld_ts: start 192.0.3.0 end 192.0.3.255
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical
> 0x00 length 12
> ikev2_pld_notify: protoid NONE spisize 0 type AUTH_LIFETIME
> spi=0x8571a56c49fa05ff: sa_state: SA_INIT -> AUTH_REQUEST
> proposals_negotiate: score 0
> proposals_negotiate: score 10
> sa_stateflags: 0x0008 -> 0x0028 auth,sa (required 0x0030 authvalid,sa)
> ikev2_msg_auth: responder auth data length 326
> ikev2_msg_authverify: method SHARED_KEY_MIC keylen 32 type NONE
> ikev2_msg_authverify: authentication successful
> spi=0x8571a56c49fa05ff: sa_state: AUTH_REQUEST -> AUTH_SUCCESS
> sa_stateflags: 0x0028 -> 0x0038 auth,authvalid,sa (required 0x0030
> authvalid,sa)
> sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa
> spi=0x8571a56c49fa05ff: sa_state: AUTH_SUCCESS -> VALID
> sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa
> sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa
> ikev2_sa_tag:  (0)
> ikev2_childsa_negotiate: proposal 2
> ikev2_childsa_negotiate: key material length 96
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: Tn with 96 bytes
> pfkey_sa_add: add spi 0xcd93a0cd
> ikev2_childsa_enable: loaded CHILD SA spi 0xcd93a0cd
> pfkey_sa_add: update spi 0xa48da310
> ikev2_childsa_enable: loaded CHILD SA spi 0xa48da310
> ikev2_childsa_enable: loaded flow 0xf7998fcc00
> ikev2_childsa_enable: loaded flow 0xf721e58800
> ikev2_childsa_enable: loaded flow 0xf752c7ac00
> ikev2_childsa_enable: loaded flow 0xf721e58400
> ikev2_childsa_enable: remember SA peer 10.2.50.130:500
> spi=0x8571a56c49fa05ff: ikev2_childsa_enable: loaded SPIs: 0xcd93a0cd,
> 0xa48da310
> spi=0x8571a56c49fa05ff: ikev2_childsa_enable: loaded flows:
> ESP-192.0.2.0/24=192.0.3.0/24(0), ESP-192.0.4.0/24=192.0.5.0/24(0)
> spi=0x8571a56c49fa05ff: sa_state: VALID -> ESTABLISHED from
> 10.2.50.130:500 to 10.2.50.24:500 policy 'strongswan'
> spi=0x8571a56c49fa05ff: established peer 10.2.50.130:500[IPV4/10.2.50.130]
> local 10.2.50.24:500[IPV4/10.2.50.24] policy 'strongswan' as initiator
> config_free_proposals: free 0xf757c4ab00
>
> 2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[NET] received packet: from
> 10.2.50.24[500] to 10.2.50.130[500] (470 bytes)
> 2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[ENC] parsed IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
> 2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[IKE] 10.2.50.24 is
> initiating an IKE_SA
> 2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[IKE] 10.2.50.24 is
> initiating an IKE_SA
> 2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[CFG] selected proposal:
> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
> 2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[IKE] DH group CURVE_25519
> unacceptable, requesting ECP_256
> 2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[ENC] generating IKE_SA_INIT
> response 0 [ N(INVAL_KE) ]
> 2020-07-31T09:26:18+02:00 ipsecgw1 charon: 13[NET] sending packet: from
> 10.2.50.130[500] to 10.2.50.24[500] (38 bytes)
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[NET] received packet: from
> 10.2.50.24[500] to 10.2.50.130[500] (502 bytes)
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[ENC] parsed IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[IKE] 10.2.50.24 is
> initiating an IKE_SA
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[IKE] 10.2.50.24 is
> initiating an IKE_SA
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[CFG] selected proposal:
> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[ENC] generating IKE_SA_INIT
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 14[NET] sending packet: from
> 10.2.50.130[500] to 10.2.50.24[500] (262 bytes)
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[NET] received packet: from
> 10.2.50.24[500] to 10.2.50.130[500] (336 bytes)
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[ENC] parsed IKE_AUTH request
> 1 [ IDi AUTH SA TSi TSr ]
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[CFG] looking for peer
> configs matching 10.2.50.130[%any]...10.2.50.24[10.2.50.24]
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[CFG] selected peer config
> 'openbsd'
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] authentication of
> '10.2.50.24' with pre-shared key successful
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] authentication of
> '10.2.50.130' (myself) with pre-shared key
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] IKE_SA openbsd[2]
> established between 10.2.50.130[10.2.50.130]...10.2.50.24[10.2.50.24]
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] IKE_SA openbsd[2]
> established between 10.2.50.130[10.2.50.130]...10.2.50.24[10.2.50.24]
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] scheduling
> reauthentication in 10045s
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] maximum IKE_SA lifetime
> 10585s
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[CFG] selected proposal:
> ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] CHILD_SA
> openbsd-subnet-1{1} established with SPIs cd93a0cd_i a48da310_o and TS
> 192.0.3.0/24 === 192.0.2.0/24
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[IKE] CHILD_SA
> openbsd-subnet-1{1} established with SPIs cd93a0cd_i a48da310_o and TS
> 192.0.3.0/24 === 192.0.2.0/24
> 2020-07-31T09:26:20+02:00 ipsecgw1 charon: 15[ENC] generating IKE_AUTH
> response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
>
>
> If i initiate by hand the second CHILD_SA from strongswan, it works:
>
>
> ipsec up openbsd-subnet-2
>
> establishing CHILD_SA openbsd-subnet-2{2}
> generating CREATE_CHILD_SA request 16 [ SA No TSi TSr ]
> sending packet: from 10.2.50.130[500] to 10.2.50.24[500] (256 bytes)
> received packet: from 10.2.50.24[500] to 10.2.50.130[500] (240 bytes)
> parsed CREATE_CHILD_SA response 16 [ SA No TSi TSr ]
> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
> CHILD_SA openbsd-subnet-2{2} established with SPIs c9be082b_i efe9920e_o
> and TS 192.0.5.0/24 === 192.0.4.0/24
> connection 'openbsd-subnet-2' established successfully
>
> ikectl show sa
> iked_sas: 0xf77bf267f0 rspi 0x2d3cf6edea006a61 ispi 0x8571a56c49fa05ff
> 10.2.50.24:500->10.2.50.130:500<IPV4/10.2.50.130>[] ESTABLISHED i nexti
> 0x0 pol 0xf7719fe000
>   sa_childsas: 0xf757c49e00 ESP 0xcd93a0cd out 10.2.50.24:500 ->
> 10.2.50.130:500 (L) B=0x0 P=0xf757c49000 @0xf77bf267f0
>   sa_childsas: 0xf757c49000 ESP 0xa48da310 in 10.2.50.130:500 ->
> 10.2.50.24:500 (LA) B=0x0 P=0xf757c49e00 @0xf77bf267f0
>   sa_childsas: 0xf7a68f2000 ESP 0xefe9920e in 10.2.50.130:500 ->
> 10.2.50.24:500 (LA) B=0x0 P=0xf757c49800 @0xf77bf267f0
>   sa_childsas: 0xf757c49800 ESP 0xc9be082b out 10.2.50.24:500 ->
> 10.2.50.130:500 (L) B=0x0 P=0xf7a68f2000 @0xf77bf267f0
>   sa_flows: 0xf7998fcc00 ESP out 192.0.2.0/24 -> 192.0.3.0/24 [0]@-1 (L)
> @0xf77bf267f0
>   sa_flows: 0xf721e58800 ESP in 192.0.3.0/24 -> 192.0.2.0/24 [0]@-1 (L)
> @0xf77bf267f0
>   sa_flows: 0xf752c7ac00 ESP out 192.0.4.0/24 -> 192.0.5.0/24 [0]@-1 (L)
> @0xf77bf267f0
>   sa_flows: 0xf721e58400 ESP in 192.0.5.0/24 -> 192.0.4.0/24 [0]@-1 (L)
> @0xf77bf267f0
> iked_activesas: 0xf757c49000 ESP 0xa48da310 in 10.2.50.130:500 ->
> 10.2.50.24:500 (LA) B=0x0 P=0xf757c49e00 @0xf77bf267f0
> iked_activesas: 0xf757c49800 ESP 0xc9be082b out 10.2.50.24:500 ->
> 10.2.50.130:500 (L) B=0x0 P=0xf7a68f2000 @0xf77bf267f0
> iked_activesas: 0xf757c49e00 ESP 0xcd93a0cd out 10.2.50.24:500 ->
> 10.2.50.130:500 (L) B=0x0 P=0xf757c49000 @0xf77bf267f0
> iked_activesas: 0xf7a68f2000 ESP 0xefe9920e in 10.2.50.130:500 ->
> 10.2.50.24:500 (LA) B=0x0 P=0xf757c49800 @0xf77bf267f0
> iked_flows: 0xf721e58800 ESP in 192.0.3.0/24 -> 192.0.2.0/24 [0]@-1 (L)
> @0xf77bf267f0
> iked_flows: 0xf721e58400 ESP in 192.0.5.0/24 -> 192.0.4.0/24 [0]@-1 (L)
> @0xf77bf267f0
> iked_flows: 0xf7998fcc00 ESP out 192.0.2.0/24 -> 192.0.3.0/24 [0]@-1 (L)
> @0xf77bf267f0
> iked_flows: 0xf752c7ac00 ESP out 192.0.4.0/24 -> 192.0.5.0/24 [0]@-1 (L)
> @0xf77bf267f0
>
> ipsecctl -sa
> FLOWS:
> flow esp in from 192.0.3.0/24 to 192.0.2.0/24 peer 10.2.50.130 srcid IPV4/
> 10.2.50.24 dstid IPV4/10.2.50.130 type require
> flow esp in from 192.0.5.0/24 to 192.0.4.0/24 peer 10.2.50.130 srcid IPV4/
> 10.2.50.24 dstid IPV4/10.2.50.130 type require
> flow esp out from 192.0.2.0/24 to 192.0.3.0/24 peer 10.2.50.130 srcid
> IPV4/10.2.50.24 dstid IPV4/10.2.50.130 type require
> flow esp out from 192.0.4.0/24 to 192.0.5.0/24 peer 10.2.50.130 srcid
> IPV4/10.2.50.24 dstid IPV4/10.2.50.130 type require
>
> SAD:
> esp tunnel from 10.2.50.130 to 10.2.50.24 spi 0xa48da310 auth
> hmac-sha2-256 enc aes
> esp tunnel from 10.2.50.24 to 10.2.50.130 spi 0xc9be082b auth
> hmac-sha2-256 enc aes-256
> esp tunnel from 10.2.50.24 to 10.2.50.130 spi 0xcd93a0cd auth
> hmac-sha2-256 enc aes
> esp tunnel from 10.2.50.130 to 10.2.50.24 spi 0xefe9920e auth
> hmac-sha2-256 enc aes-256
>
>
> log:
>
> spi=0x8571a56c49fa05ff: recv CREATE_CHILD_SA req 16 peer 10.2.50.130:500
> local 10.2.50.24:500, 256 bytes, policy 'strongswan'
> ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
> ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
> ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
> nextpayload SK version 0x20 exchange CREATE_CHILD_SA flags 0x00 msgid 16
> length 256 response 0
> ikev2_pld_payloads: payload SK nextpayload SA critical 0x00 length 228
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 192
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 192/192 padding 7
> ikev2_pld_payloads: decrypted payload SA nextpayload NONCE critical 0x00
> length 100
> ikev2_pld_sa: more 0 reserved 0 length 96 proposal #1 protoid ESP spisize
> 4 xforms 9 spi 0xc9be082b
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_384_192
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_512_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id AES_XCBC_96
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload NONCE nextpayload TSi critical 0x00
> length 36
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
> length 24
> ikev2_pld_ts: count 1 length 16
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
> 65535
> ikev2_pld_ts: start 192.0.5.0 end 192.0.5.255
> ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
> length 24
> ikev2_pld_ts: count 1 length 16
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
> 65535
> ikev2_pld_ts: start 192.0.4.0 end 192.0.4.255
> ikev2_resp_create_child_sa: creating new ESP SA
> proposals_negotiate: score 0
> proposals_negotiate: score 4
> sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa
> ikev2_sa_tag:  (0)
> ikev2_childsa_negotiate: proposal 1
> ikev2_childsa_negotiate: key material length 128
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: T4 with 32 bytes
> ikev2_prfplus: Tn with 128 bytes
> pfkey_sa_getspi: spi 0xefe9920e
> pfkey_sa_init: new spi 0xefe9920e
> ikev2_add_proposals: length 40
> ikev2_next_payload: length 44 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload TSi
> ikev2_next_payload: length 40 nextpayload TSr
> ikev2_next_payload: length 40 nextpayload NONE
> ikev2_next_payload: length 212 nextpayload SA
> ikev2_msg_encrypt: decrypted length 160
> ikev2_msg_encrypt: padded length 176
> ikev2_msg_encrypt: length 161, padding 15, output length 208
> ikev2_msg_integr: message length 240
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
> nextpayload SK version 0x20 exchange CREATE_CHILD_SA flags 0x28 msgid 16
> length 240 response 1
> ikev2_pld_payloads: payload SK nextpayload SA critical 0x00 length 212
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 176
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 176/176 padding 15
> ikev2_pld_payloads: decrypted payload SA nextpayload NONCE critical 0x00
> length 44
> ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize
> 4 xforms 3 spi 0xefe9920e
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_256_128
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload NONCE nextpayload TSi critical 0x00
> length 36
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
> length 40
> ikev2_pld_ts: count 2 length 32
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
> 65535
> ikev2_pld_ts: start 192.0.3.0 end 192.0.3.255
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
> 65535
> ikev2_pld_ts: start 192.0.5.0 end 192.0.5.255
> ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
> length 40
> ikev2_pld_ts: count 2 length 32
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
> 65535
> ikev2_pld_ts: start 192.0.2.0 end 192.0.2.255
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
> 65535
> ikev2_pld_ts: start 192.0.4.0 end 192.0.4.255
> spi=0x8571a56c49fa05ff: send CREATE_CHILD_SA res 16 peer 10.2.50.130:500
> local 10.2.50.24:500, 240 bytes
> pfkey_sa_add: update spi 0xefe9920e
> ikev2_childsa_enable: loaded CHILD SA spi 0xefe9920e
> pfkey_sa_add: add spi 0xc9be082b
> ikev2_childsa_enable: loaded CHILD SA spi 0xc9be082b
> ikev2_childsa_enable: flow already loaded 0xf7998fcc00
> ikev2_childsa_enable: flow already loaded 0xf721e58800
> ikev2_childsa_enable: flow already loaded 0xf752c7ac00
> ikev2_childsa_enable: flow already loaded 0xf721e58400
> spi=0x8571a56c49fa05ff: ikev2_childsa_enable: loaded SPIs: 0xefe9920e,
> 0xc9be082b
> config_free_proposals: free 0xf72ed4f000
> config_free_proposals: free 0xf72ed4fa00
> spi=0x8571a56c49fa05ff: recv INFORMATIONAL req 17 peer 10.2.50.130:500
> local 10.2.50.24:500, 80 bytes, policy 'strongswan'
> ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
> ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
> ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
> nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 17
> length 80 response 0
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> ikev2_next_payload: length 52 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 0
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 1, padding 15, output length 48
> ikev2_msg_integr: message length 80
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
> nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 17
> length 80 response 1
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> spi=0x8571a56c49fa05ff: send INFORMATIONAL res 17 peer 10.2.50.130:500
> local 10.2.50.24:500, 80 bytes
> ikev2_init_ike_sa: "strongswan" is already active
> spi=0x8571a56c49fa05ff: recv INFORMATIONAL req 18 peer 10.2.50.130:500
> local 10.2.50.24:500, 80 bytes, policy 'strongswan'
> ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
> ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
> ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
> nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 18
> length 80 response 0
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> ikev2_next_payload: length 52 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 0
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 1, padding 15, output length 48
> ikev2_msg_integr: message length 80
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
> nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 18
> length 80 response 1
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> spi=0x8571a56c49fa05ff: send INFORMATIONAL res 18 peer 10.2.50.130:500
> local 10.2.50.24:500, 80 bytes
> spi=0x8571a56c49fa05ff: recv INFORMATIONAL req 19 peer 10.2.50.130:500
> local 10.2.50.24:500, 80 bytes, policy 'strongswan'
> ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
> ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
> ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
> nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 19
> length 80 response 0
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> ikev2_next_payload: length 52 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 0
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 1, padding 15, output length 48
> ikev2_msg_integr: message length 80
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
> nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 19
> length 80 response 1
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> spi=0x8571a56c49fa05ff: send INFORMATIONAL res 19 peer 10.2.50.130:500
> local 10.2.50.24:500, 80 bytes
> ikev2_init_ike_sa: "strongswan" is already active
> spi=0x8571a56c49fa05ff: recv INFORMATIONAL req 20 peer 10.2.50.130:500
> local 10.2.50.24:500, 80 bytes, policy 'strongswan'
> ikev2_recv: ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
> ikev2_recv: updated SA to peer 10.2.50.130:500 local 10.2.50.24:500
> ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
> nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 20
> length 80 response 0
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> ikev2_next_payload: length 52 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 0
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 1, padding 15, output length 48
> ikev2_msg_integr: message length 80
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0x8571a56c49fa05ff rspi 0x2d3cf6edea006a61
> nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 20
> length 80 response 1
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> spi=0x8571a56c49fa05ff: send INFORMATIONAL res 20 peer 10.2.50.130:500
> local 10.2.50.24:500, 80 bytes
>
>
>