"ipsec whack --staus" after first tunnel setup: ----------------------------------------------- 000 "RZN78L80_R1N10_DSL": 10.11.0.0/24===192.168.3.80<192.168.3.80>[@08002725BA4E.example.de]---192.168.3.79...%any===10.13.10.0/32; unrouted; eroute owner: #0 000 "RZN78L80_R1N10_DSL": myip=unset; hisip=unset; mycert=/etc/ipsec.d/MyCerts/08002725BA4E.cert.der; 000 "RZN78L80_R1N10_DSL": CAs: 'C=DE, ST=BY, L=ExampleLocation., O=example.de, OU=IT, CN=example CA-2015, E=info@example.de'...'%any' 000 "RZN78L80_R1N10_DSL": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "RZN78L80_R1N10_DSL": policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK; prio: 24,32; interface: eth1:ip80; 000 "RZN78L80_R1N10_DSL": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "RZN78L80_R1N10_DSL": ESP algorithms wanted: AES(12)_000-SHA2_256(5)_000; flags=-strict 000 "RZN78L80_R1N10_DSL": ESP algorithms loaded: AES(12)_128-SHA2_256(5)_256 000 "RZN78L80_R1N10_DSL"[2]: 10.11.0.0/24===192.168.3.80<192.168.3.80>[@08002725BA4E.example.de]---192.168.3.79...192.168.1.6[@000149FFFF70.example.de]===10.13.10.0/32; erouted; eroute owner: #2 000 "RZN78L80_R1N10_DSL"[2]: myip=unset; hisip=unset; mycert=/etc/ipsec.d/MyCerts/08002725BA4E.cert.der; 000 "RZN78L80_R1N10_DSL"[2]: CAs: 'C=DE, ST=BY, L=ExampleLocation., O=example.de, OU=IT, CN=example CA-2015, E=info@example.de'...'%any' 000 "RZN78L80_R1N10_DSL"[2]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "RZN78L80_R1N10_DSL"[2]: policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK; prio: 24,32; interface: eth1:ip80; 000 "RZN78L80_R1N10_DSL"[2]: newest ISAKMP SA: #1; newest IPsec SA: #2; 000 "RZN78L80_R1N10_DSL"[2]: IKE algorithm newest: AES_CBC_256-SHA2_256-MODP2048 000 "RZN78L80_R1N10_DSL"[2]: ESP algorithms wanted: AES(12)_000-SHA2_256(5)_000; flags=-strict 000 "RZN78L80_R1N10_DSL"[2]: ESP algorithms loaded: AES(12)_128-SHA2_256(5)_256 000 "RZN78L80_R1N10_DSL"[2]: ESP algorithm newest: AES_256-HMAC_SHA2_256; pfsgroup= 000 000 #2: "RZN78L80_R1N10_DSL"[2] 192.168.1.6:500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28527s; newest IPSEC; eroute owner; isakmp#1; idle; import:not set 000 #2: "RZN78L80_R1N10_DSL"[2] 192.168.1.6 esp.52ddb5d6@192.168.1.6 esp.8e26dd36@192.168.3.80 tun.0@192.168.1.6 tun.0@192.168.3.80 ref=0 refhim=4294901761 000 #1: "RZN78L80_R1N10_DSL"[2] 192.168.1.6:500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3327s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set "ipsec whack --staus" after "power off" of client and new tunnel setup: ----------------------------------------------------------------------- 000 "RZN78L80_R1N10_DSL": 10.11.0.0/24===192.168.3.80<192.168.3.80>[@08002725BA4E.example.de]---192.168.3.79...%any===10.13.10.0/32; unrouted; eroute owner: #0 000 "RZN78L80_R1N10_DSL": myip=unset; hisip=unset; mycert=/etc/ipsec.d/MyCerts/08002725BA4E.cert.der; 000 "RZN78L80_R1N10_DSL": CAs: 'C=DE, ST=BY, L=ExampleLocation., O=example.de, OU=IT, CN=example CA-2015, E=info@example.de'...'%any' 000 "RZN78L80_R1N10_DSL": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "RZN78L80_R1N10_DSL": policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK; prio: 24,32; interface: eth1:ip80; 000 "RZN78L80_R1N10_DSL": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "RZN78L80_R1N10_DSL": ESP algorithms wanted: AES(12)_000-SHA2_256(5)_000; flags=-strict 000 "RZN78L80_R1N10_DSL": ESP algorithms loaded: AES(12)_128-SHA2_256(5)_256 000 "RZN78L80_R1N10_DSL"[4]: 10.11.0.0/24===192.168.3.80<192.168.3.80>[@08002725BA4E.example.de]---192.168.3.79...192.168.1.2[@000149FFFF70.example.de]===10.13.10.0/32; erouted; eroute owner: #4 000 "RZN78L80_R1N10_DSL"[4]: myip=unset; hisip=unset; mycert=/etc/ipsec.d/MyCerts/08002725BA4E.cert.der; 000 "RZN78L80_R1N10_DSL"[4]: CAs: 'C=DE, ST=BY, L=ExampleLocation., O=example.de, OU=IT, CN=example CA-2015, E=info@example.de'...'%any' 000 "RZN78L80_R1N10_DSL"[4]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "RZN78L80_R1N10_DSL"[4]: policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK; prio: 24,32; interface: eth1:ip80; 000 "RZN78L80_R1N10_DSL"[4]: newest ISAKMP SA: #3; newest IPsec SA: #4; 000 "RZN78L80_R1N10_DSL"[4]: IKE algorithm newest: AES_CBC_256-SHA2_256-MODP2048 000 "RZN78L80_R1N10_DSL"[4]: ESP algorithms wanted: AES(12)_000-SHA2_256(5)_000; flags=-strict 000 "RZN78L80_R1N10_DSL"[4]: ESP algorithms loaded: AES(12)_128-SHA2_256(5)_256 000 "RZN78L80_R1N10_DSL"[4]: ESP algorithm newest: AES_256-HMAC_SHA2_256; pfsgroup= 000 000 #4: "RZN78L80_R1N10_DSL"[4] 192.168.1.2:500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28523s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set 000 #4: "RZN78L80_R1N10_DSL"[4] 192.168.1.2 esp.df376873@192.168.1.2 esp.9e57b26@192.168.3.80 tun.0@192.168.1.2 tun.0@192.168.3.80 ref=0 refhim=4294901761 000 #3: "RZN78L80_R1N10_DSL"[4] 192.168.1.2:500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3323s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set Log of RZNV78 (Linux Openswan U2.6.41/K3.7.10-1.1-desktop (netkey)): ==================================================================== Startup: -------- May 22 16:48:29 rznv78.example.de ipsec[4319]: ipsec_setup: Starting Openswan IPsec 2.6.41... May 22 16:48:29 rznv78.example.de ipsec_setup[4332]: Starting Openswan IPsec 2.6.41... May 22 16:48:29 rznv78.example.de ipsec_setup[4359]: Using KLIPS/legacy stack May 22 16:48:29 rznv78.example.de ipsec[4319]: ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey May 22 16:48:29 rznv78.example.de ipsec_setup[4332]: No KLIPS support found while requested, desperately falling back to netkey May 22 16:48:29 rznv78.example.de ipsec[4319]: ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY May 22 16:48:29 rznv78.example.de kernel: NET: Registered protocol family 15 May 22 16:48:29 rznv78.example.de ipsec_setup[4332]: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY May 22 16:48:29 rznv78.example.de ipsec_setup[4392]: Using NETKEY(XFRM) stack May 22 16:48:29 rznv78.example.de kernel: Initializing XFRM netlink socket May 22 16:48:29 rznv78.example.de ipsec__plutorun[4450]: Starting Pluto subsystem... May 22 16:48:29 rznv78.example.de ipsec_setup[4454]: ...Openswan IPsec started May 22 16:48:29 rznv78.example.de systemd[1]: Started LSB: Start Openswan IPsec at boot time. May 22 16:48:29 rznv78.example.de ipsec__plutorun[4452]: adjusting ipsec.d to /etc/ipsec.d May 22 16:48:29 rznv78.example.de pluto[4457]: adjusting ipsec.d to /etc/ipsec.d May 22 16:48:29 rznv78.example.de pluto[4457]: Starting Pluto (Openswan Version 2.6.41; Vendor ID OSWsxljF@TSY) pid:4457 May 22 16:48:29 rznv78.example.de pluto[4457]: LEAK_DETECTIVE support [disabled] May 22 16:48:29 rznv78.example.de pluto[4457]: OCF support for IKE [disabled] May 22 16:48:29 rznv78.example.de pluto[4457]: SAref support [disabled]: Protocol not available May 22 16:48:29 rznv78.example.de pluto[4457]: SAbind support [disabled]: Protocol not available May 22 16:48:29 rznv78.example.de pluto[4457]: NSS support [disabled] May 22 16:48:29 rznv78.example.de pluto[4457]: HAVE_STATSD notification support not compiled in May 22 16:48:29 rznv78.example.de pluto[4457]: Setting NAT-Traversal port-4500 floating to on May 22 16:48:29 rznv78.example.de pluto[4457]: port floating activation criteria nat_t=1/port_float=1 May 22 16:48:29 rznv78.example.de pluto[4457]: NAT-Traversal support [enabled] May 22 16:48:29 rznv78.example.de pluto[4457]: using /dev/urandom as source of random entropy May 22 16:48:29 rznv78.example.de pluto[4457]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) May 22 16:48:29 rznv78.example.de pluto[4457]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0) May 22 16:48:29 rznv78.example.de pluto[4457]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0) May 22 16:48:29 rznv78.example.de pluto[4457]: starting up 1 cryptographic helpers May 22 16:48:29 rznv78.example.de pluto[4457]: started helper pid=4459 (fd:6) May 22 16:48:29 rznv78.example.de pluto[4457]: Kernel interface auto-pick May 22 16:48:29 rznv78.example.de pluto[4457]: Using Linux XFRM/NETKEY IPsec interface code on 3.7.10-1.1-desktop May 22 16:48:29 rznv78.example.de pluto[4459]: using /dev/urandom as source of random entropy May 22 16:48:29 rznv78.example.de pluto[4457]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0) May 22 16:48:29 rznv78.example.de pluto[4457]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists May 22 16:48:29 rznv78.example.de pluto[4457]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17) May 22 16:48:29 rznv78.example.de pluto[4457]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists May 22 16:48:29 rznv78.example.de pluto[4457]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17) May 22 16:48:29 rznv78.example.de pluto[4457]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists May 22 16:48:29 rznv78.example.de pluto[4457]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17) May 22 16:48:29 rznv78.example.de pluto[4457]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists May 22 16:48:29 rznv78.example.de pluto[4457]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17) May 22 16:48:29 rznv78.example.de pluto[4457]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists May 22 16:48:29 rznv78.example.de pluto[4457]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17) May 22 16:48:29 rznv78.example.de pluto[4457]: loaded CA cert file 'cacert_example.pem' (1850 bytes) May 22 16:48:29 rznv78.example.de pluto[4457]: loaded CA cert file 'exampleCa-2015-cacert.pem' (1814 bytes) May 22 16:48:29 rznv78.example.de pluto[4457]: Could not change to directory '/etc/ipsec.d/aacerts': No such file or directory May 22 16:48:29 rznv78.example.de pluto[4457]: Could not change to directory '/etc/ipsec.d/ocspcerts': No such file or directory May 22 16:48:29 rznv78.example.de pluto[4457]: loading certificate from /etc/ipsec.d/MyCerts/08002725BA4E.cert.der May 22 16:48:29 rznv78.example.de pluto[4457]: loaded host cert file '/etc/ipsec.d/MyCerts/08002725BA4E.cert.der' (1333 bytes) May 22 16:48:29 rznv78.example.de pluto[4457]: added connection description "RZN78L80_R1N10_DSL" May 22 16:48:29 rznv78.example.de ipsec__plutorun[4452]: 002 loading certificate from /etc/ipsec.d/MyCerts/08002725BA4E.cert.der May 22 16:48:29 rznv78.example.de ipsec__plutorun[4452]: 002 loaded host cert file '/etc/ipsec.d/MyCerts/08002725BA4E.cert.der' (1333 bytes) May 22 16:48:29 rznv78.example.de ipsec__plutorun[4452]: 002 added connection description "RZN78L80_R1N10_DSL" May 22 16:48:29 rznv78.example.de pluto[4457]: listening for IKE messages May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface eth2/eth2 10.11.0.78:500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface eth2/eth2 10.11.0.78:4500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface eth1:ip87/eth1:ip87 192.168.3.87:500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface eth1:ip87/eth1:ip87 192.168.3.87:4500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface eth1:ip89/eth1:ip89 192.168.3.89:500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface eth1:ip89/eth1:ip89 192.168.3.89:4500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface eth1:ip88/eth1:ip88 192.168.3.88:500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface eth1:ip88/eth1:ip88 192.168.3.88:4500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface eth1:ip86/eth1:ip86 192.168.3.86:500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface eth1:ip86/eth1:ip86 192.168.3.86:4500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface eth1:ip85/eth1:ip85 192.168.3.85:500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface eth1:ip85/eth1:ip85 192.168.3.85:4500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface eth1:ip81/eth1:ip81 192.168.3.81:500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface eth1:ip81/eth1:ip81 192.168.3.81:4500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface eth1:ip80/eth1:ip80 192.168.3.80:500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface eth1:ip80/eth1:ip80 192.168.3.80:4500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface eth1/eth1 192.168.3.78:500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface eth1/eth1 192.168.3.78:4500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface eth0/eth0 10.1.5.78:500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface eth0/eth0 10.1.5.78:4500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface lo/lo 127.0.0.1:500 May 22 16:48:29 rznv78.example.de pluto[4457]: adding interface lo/lo 127.0.0.1:4500 May 22 16:48:29 rznv78.example.de pluto[4457]: loading secrets from "/etc/ipsec.secrets" May 22 16:48:29 rznv78.example.de pluto[4457]: loaded private key file '/etc/ipsec.d/private/08002725BA4E.key.pem' (1751 bytes) May 22 16:48:29 rznv78.example.de pluto[4457]: loaded private key for keyid: PPK_RSA:AwEAAef8L May 22 16:48:29 rznv78.example.de pluto[4457]: loaded private key for keyid: PPK_RSA:AQOIxxcfK first tunnel setup: ------------------- May 22 16:49:02 rznv78.example.de pluto[4457]: packet from 192.168.1.6:500: ignoring unknown Vendor ID payload [4f535751624a50497c705f61] May 22 16:49:02 rznv78.example.de pluto[4457]: packet from 192.168.1.6:500: received Vendor ID payload [Dead Peer Detection] May 22 16:49:02 rznv78.example.de pluto[4457]: packet from 192.168.1.6:500: received Vendor ID payload [RFC 3947] method set to=115 May 22 16:49:02 rznv78.example.de pluto[4457]: packet from 192.168.1.6:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115 May 22 16:49:02 rznv78.example.de pluto[4457]: packet from 192.168.1.6:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115 May 22 16:49:02 rznv78.example.de pluto[4457]: packet from 192.168.1.6:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115 May 22 16:49:02 rznv78.example.de pluto[4457]: packet from 192.168.1.6:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[1] 192.168.1.6 #1: responding to Main Mode from unknown peer 192.168.1.6 May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[1] 192.168.1.6 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[1] 192.168.1.6 #1: STATE_MAIN_R1: sent MR1, expecting MI2 May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[1] 192.168.1.6 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[1] 192.168.1.6 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[1] 192.168.1.6 #1: STATE_MAIN_R2: sent MR2, expecting MI3 May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[1] 192.168.1.6 #1: Main mode peer ID is ID_FQDN: '@000149FFFF70.example.de' May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[1] 192.168.1.6 #1: no crl from issuer "C=DE, ST=BY, L=ExampleLocation., O=example.de, OU=IT, CN=example CA-2015, E=info@example.de" found (strict=no) May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[1] 192.168.1.6 #1: switched from "RZN78L80_R1N10_DSL" to "RZN78L80_R1N10_DSL" May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[2] 192.168.1.6 #1: deleting connection "RZN78L80_R1N10_DSL" instance with peer 192.168.1.6 {isakmp=#0/ipsec=#0} May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[2] 192.168.1.6 #1: I am sending my cert May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[2] 192.168.1.6 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[2] 192.168.1.6 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=OAKLEY_SHA2_256 group=modp2048} May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[2] 192.168.1.6 #1: the peer proposed: 10.11.0.0/24:0/0 -> 10.13.10.0/32:0/0 May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[2] 192.168.1.6 #2: responding to Quick Mode proposal {msgid:8115b11b} May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[2] 192.168.1.6 #2: us: 10.11.0.0/24===192.168.3.80<192.168.3.80>[@08002725BA4E.example.de]---192.168.3.79 May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[2] 192.168.1.6 #2: them: 192.168.1.6[@000149FFFF70.example.de]===10.13.10.0/32 May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[2] 192.168.1.6 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[2] 192.168.1.6 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[2] 192.168.1.6 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 May 22 16:49:02 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[2] 192.168.1.6 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x52ddb5d6 <0x8e26dd36 xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=none DPD=none} new tunnel setup after "power off" of client: --------------------------------------------- May 22 16:49:43 rznv78.example.de systemd[1]: Job dev-disk-by\x2did-ata\x2dVBOX_HARDDISK_VB86a22635\x2da5c43ef0\x2dpart1.device/start timed out. May 22 16:49:43 rznv78.example.de systemd[1]: Timed out waiting for device dev-disk-by\x2did-ata\x2dVBOX_HARDDISK_VB86a22635\x2da5c43ef0\x2dpart1.device. May 22 16:49:43 rznv78.example.de systemd[1]: Dependency failed for /dev/disk/by-id/ata-VBOX_HARDDISK_VB86a22635-a5c43ef0-part1. May 22 16:49:43 rznv78.example.de systemd[1]: Job dev-disk-by\x2did-ata\x2dVBOX_HARDDISK_VB86a22635\x2da5c43ef0\x2dpart1.swap/start failed with result 'dependency'. May 22 16:49:43 rznv78.example.de systemd[1]: Job dev-disk-by\x2did-ata\x2dVBOX_HARDDISK_VB86a22635\x2da5c43ef0\x2dpart1.device/start failed with result 'timeout'. May 22 16:50:01 rznv78.example.de /usr/sbin/cron[4504]: pam_unix(crond:session): session opened for user root by (uid=0) May 22 16:50:01 rznv78.example.de /USR/SBIN/CRON[4504]: pam_unix(crond:session): session closed for user root May 22 16:50:34 rznv78.example.de pluto[4457]: packet from 192.168.1.2:500: ignoring unknown Vendor ID payload [4f535751624a50497c705f61] May 22 16:50:34 rznv78.example.de pluto[4457]: packet from 192.168.1.2:500: received Vendor ID payload [Dead Peer Detection] May 22 16:50:34 rznv78.example.de pluto[4457]: packet from 192.168.1.2:500: received Vendor ID payload [RFC 3947] method set to=115 May 22 16:50:34 rznv78.example.de pluto[4457]: packet from 192.168.1.2:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115 May 22 16:50:34 rznv78.example.de pluto[4457]: packet from 192.168.1.2:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115 May 22 16:50:34 rznv78.example.de pluto[4457]: packet from 192.168.1.2:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115 May 22 16:50:34 rznv78.example.de pluto[4457]: packet from 192.168.1.2:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[3] 192.168.1.2 #3: responding to Main Mode from unknown peer 192.168.1.2 May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[3] 192.168.1.2 #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[3] 192.168.1.2 #3: STATE_MAIN_R1: sent MR1, expecting MI2 May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[3] 192.168.1.2 #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[3] 192.168.1.2 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[3] 192.168.1.2 #3: STATE_MAIN_R2: sent MR2, expecting MI3 May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[3] 192.168.1.2 #3: Main mode peer ID is ID_FQDN: '@000149FFFF70.example.de' May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[3] 192.168.1.2 #3: no crl from issuer "C=DE, ST=BY, L=ExampleLocation., O=example.de, OU=IT, CN=example CA-2015, E=info@example.de" found (strict=no) May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[3] 192.168.1.2 #3: switched from "RZN78L80_R1N10_DSL" to "RZN78L80_R1N10_DSL" ... 2.6.41 is deleting old states!!! May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[4] 192.168.1.2 #3: deleting connection "RZN78L80_R1N10_DSL" instance with peer 192.168.1.2 {isakmp=#0/ipsec=#0} May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[4] 192.168.1.2 #3: I am sending my cert May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[4] 192.168.1.2 #3: deleting connection "RZN78L80_R1N10_DSL" instance with peer 192.168.1.6 {isakmp=#1/ipsec=#2} May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL" #2: deleting state (STATE_QUICK_R2) May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL" #2: down-client output: /usr/lib/ipsec/_updown.netkey: line 192: [: : integer expression expected May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL" #1: deleting state (STATE_MAIN_R3) May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[4] 192.168.1.2 #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[4] 192.168.1.2 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=OAKLEY_SHA2_256 group=modp2048} May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[4] 192.168.1.2 #3: the peer proposed: 10.11.0.0/24:0/0 -> 10.13.10.0/32:0/0 May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[4] 192.168.1.2 #4: responding to Quick Mode proposal {msgid:af1e3f9b} May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[4] 192.168.1.2 #4: us: 10.11.0.0/24===192.168.3.80<192.168.3.80>[@08002725BA4E.example.de]---192.168.3.79 May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[4] 192.168.1.2 #4: them: 192.168.1.2[@000149FFFF70.example.de]===10.13.10.0/32 May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[4] 192.168.1.2 #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[4] 192.168.1.2 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[4] 192.168.1.2 #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 May 22 16:50:34 rznv78.example.de pluto[4457]: "RZN78L80_R1N10_DSL"[4] 192.168.1.2 #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xdf376873 <0x09e57b26 xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=none DPD=none}