No traffic although Tunnel up – only tunnel reset helps
-
Hello forum,
My Problem:
I'm moving our 60 Customer IPsec VPN from Cisco ASA to pfSense.
The first 40 tunnels which I configure on the pfsense worked good in sense of config and stable connection. Since i have more than those, from time to time some tunnels are unstable and i can't get traffic through although the tunnels are up. Only when i shut down the tunnel manually and initiate a new connection it works fine again (for a while).2.3.2-RELEASE (amd64)
FreeBSD 10.3-RELEASE-p5
Nodes/Networks: 264I explain with more details:
-
Some tunnels coming up but after some time I get Network error. Only resetting the tunnel helps to reconnect to the host. I also noticed that after 10 or 15 min i get a Network error (tunnel still up) and after a while (10 or 15 min) connection works without restart the tunnel.
-
Some tunnels are already up from the day before but I don’t get any connection – resetting the tunnel fix the tunnel and the traffic temporaly (This can be an issue of have the "Disable rekey" not enabled). I enabled this option on few tunnel. It makes it better but not without problem (so for me not really satisfying) .
-
Under Status/IPsec/Overview I see on a established tunnels with traffic only p1 and not the option "show child SA entries" (see attachement gzo)
-
I have a tunnel which i can't connect. The tunnel is down but i see that something is trying to establish the tunnel.
When i want to connect to the host, i can't connect and tunnel remains down. (see attachement iic)
If you need any config or further details let me know and i provide them.
Many thanks for the help.
-
-
I did an other observation:
the tunnel is down (as i see on the remote site) but on the pfSense under Status / IPsec / Overview i see the tunnel up but only outgoing traffic.
The connection was ok for about 29h then randomly could not access anymore to the host. resetting the tunnel helped to bring it to work again.
does anybody have any suggestion where i can start searching for this issue?Many thanks for the help!
-
I assume you mean you want 60 IKE channels, what about IPSec (child SA) tunnels, I assume each endpoint may have more than one?
What do the logs say when the channel is connected correctly?
What do they say when the tunnel is down?
Are both of your endpoints PfSense?
When does the channel become unstable, after the 8 hour default re-authentication or just at any time?If it is only some IKE channels being effected and all are configured the same (at the PfSense end) then it might suggest other endpoint might have some configuration issues (old ACLs etc causing issues). In the past I have found it easier to completely rebuild some endpoints to make sure old configurations weren't causing an issue.
-
Many thanks for the replay KDog!
you assume right. I have 60 IKE and each of them has at least one IPsec (child SA).
What do the logs say when the channel is connected correctly?
I see this below when the tunnel is established. Afther this, I don't see any entries. Traffic is not loged. You need this logs? so i can enable the traffic log and poste them here.
Nov 10 08:55:59 charon 12[IKE] <con30000|107578> nothing to initiate Nov 10 08:55:59 charon 12[IKE] <con30000|107578> activating new tasks Nov 10 08:55:59 charon 12[NET] <con30000|107578> sending packet: from x.x.x.x[500] to z.z.z.z[500] (60 bytes) Nov 10 08:55:59 charon 12[ENC] <con30000|107578> generating QUICK_MODE request 712735909 [ HASH ] Nov 10 08:55:59 charon 12[IKE] <con30000|107578> QUICK_MODE task Nov 10 08:55:59 charon 12[IKE] <con30000|107578> reinitiating already active tasks Nov 10 08:55:59 charon 12[IKE] <con30000|107578> CHILD_SA con30001{67915} established with SPIs c5fb3c1f_i dabee873_o and TS y.y.y.y/24|w.w.w.w/32 === 10.20.200.0/24|/0 Nov 10 08:55:59 charon 12[CHD] <con30000|107578> SPI 0xdabee873, src x.x.x.x dst z.z.z.z Nov 10 08:55:59 charon 12[CHD] <con30000|107578> adding outbound ESP SA Nov 10 08:55:59 charon 12[CHD] <con30000|107578> SPI 0xc5fb3c1f, src z.z.z.z dst x.x.x.x Nov 10 08:55:59 charon 12[CHD] <con30000|107578> adding inbound ESP SA Nov 10 08:55:59 charon 12[CHD] <con30000|107578> using HMAC_SHA1_96 for integrity Nov 10 08:55:59 charon 12[CHD] <con30000|107578> using AES_CBC for encryption Nov 10 08:55:59 charon 12[CFG] <con30000|107578> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Nov 10 08:55:59 charon 12[CFG] <con30000|107578> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Nov 10 08:55:59 charon 12[CFG] <con30000|107578> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Nov 10 08:55:59 charon 12[CFG] <con30000|107578> proposal matches Nov 10 08:55:59 charon 12[CFG] <con30000|107578> selecting proposal: Nov 10 08:55:59 charon 12[ENC] <con30000|107578> parsed QUICK_MODE response 712735909 [ HASH SA No ID ID ] Nov 10 08:55:59 charon 12[NET] <con30000|107578> received packet: from z.z.z.z[500] to x.x.x.x[500] (172 bytes) Nov 10 08:55:59 charon 11[NET] <con30000|107578> sending packet: from x.x.x.x[500] to z.z.z.z[500] (188 bytes) Nov 10 08:55:59 charon 11[ENC] <con30000|107578> generating QUICK_MODE request 712735909 [ HASH SA No ID ID ] Nov 10 08:55:59 charon 11[CFG] <con30000|107578> 10.20.200.0/24|/0 Nov 10 08:55:59 charon 11[CFG] <con30000|107578> proposing traffic selectors for other: Nov 10 08:55:59 charon 11[CFG] <con30000|107578> y.y.y.y/24|w.w.w.w/32 Nov 10 08:55:59 charon 11[CFG] <con30000|107578> proposing traffic selectors for us: Nov 10 08:55:59 charon 11[CFG] <con30000|107578> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Nov 10 08:55:59 charon 11[CFG] <con30000|107578> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Nov 10 08:55:59 charon 11[IKE] <con30000|107578> activating QUICK_MODE task Nov 10 08:55:59 charon 11[IKE] <con30000|107578> activating new tasks Nov 10 08:55:59 charon 11[IKE] <con30000|107578> DPD not supported by peer, disabled Nov 10 08:55:59 charon 11[IKE] <con30000|107578> maximum IKE_SA lifetime 86199s Nov 10 08:55:59 charon 11[IKE] <con30000|107578> scheduling reauthentication in 85659s Nov 10 08:55:59 charon 11[IKE] <con30000|107578> IKE_SA con30000[107578] state change: CONNECTING => ESTABLISHED Nov 10 08:55:59 charon 11[IKE] <con30000|107578> IKE_SA con30000[107578] established between x.x.x.x[172.23.103.5]...z.z.z.z[z.z.z.z] Nov 10 08:55:59 charon 11[ENC] <con30000|107578> parsed ID_PROT response 0 [ ID HASH ] Nov 10 08:55:59 charon 11[NET] <con30000|107578> received packet: from z.z.z.z[500] to x.x.x.x[500] (76 bytes) Nov 10 08:55:59 charon 15[NET] <con30000|107578> sending packet: from x.x.x.x[500] to z.z.z.z[500] (108 bytes) Nov 10 08:55:59 charon 15[ENC] <con30000|107578> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Nov 10 08:55:59 charon 15[IKE] <con30000|107578> MAIN_MODE task Nov 10 08:55:59 charon 15[IKE] <con30000|107578> ISAKMP_VENDOR task Nov 10 08:55:59 charon 15[IKE] <con30000|107578> reinitiating already active tasks Nov 10 08:55:59 charon 15[ENC] <con30000|107578> parsed ID_PROT response 0 [ KE No ] Nov 10 08:55:59 charon 15[NET] <con30000|107578> received packet: from z.z.z.z[500] to x.x.x.x[500] (184 bytes) Nov 10 08:55:59 charon 15[NET] <con30000|107578> sending packet: from x.x.x.x[500] to z.z.z.z[500] (196 bytes) Nov 10 08:55:59 charon 15[ENC] <con30000|107578> generating ID_PROT request 0 [ KE No ] Nov 10 08:55:59 charon 15[IKE] <con30000|107578> MAIN_MODE task Nov 10 08:55:59 charon 15[IKE] <con30000|107578> ISAKMP_VENDOR task Nov 10 08:55:59 charon 15[IKE] <con30000|107578> reinitiating already active tasks Nov 10 08:55:59 charon 15[CFG] <con30000|107578> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Nov 10 08:55:59 charon 15[CFG] <con30000|107578> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Nov 10 08:55:59 charon 15[CFG] <con30000|107578> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Nov 10 08:55:59 charon 15[CFG] <con30000|107578> proposal matches Nov 10 08:55:59 charon 15[CFG] <con30000|107578> selecting proposal: Nov 10 08:55:59 charon 15[IKE] <con30000|107578> received FRAGMENTATION vendor ID Nov 10 08:55:59 charon 15[ENC] <con30000|107578> parsed ID_PROT response 0 [ SA V ] Nov 10 08:55:59 charon 15[NET] <con30000|107578> received packet: from z.z.z.z[500] to x.x.x.x[500] (108 bytes) Nov 10 08:55:59 charon 15[NET] <con30000|107578> sending packet: from x.x.x.x[500] to z.z.z.z[500] (184 bytes) Nov 10 08:55:59 charon 15[ENC] <con30000|107578> generating ID_PROT request 0 [ SA V V V V V ] Nov 10 08:55:59 charon 15[CFG] <con30000|107578> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Nov 10 08:55:59 charon 15[IKE] <con30000|107578> IKE_SA con30000[107578] state change: CREATED => CONNECTING Nov 10 08:55:59 charon 15[IKE] <con30000|107578> initiating Main Mode IKE_SA con30000[107578] to z.z.z.z Nov 10 08:55:59 charon 15[IKE] <con30000|107578> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID Nov 10 08:55:59 charon 15[IKE] <con30000|107578> sending NAT-T (RFC 3947) vendor ID Nov 10 08:55:59 charon 15[IKE] <con30000|107578> sending FRAGMENTATION vendor ID Nov 10 08:55:59 charon 15[IKE] <con30000|107578> sending DPD vendor ID Nov 10 08:55:59 charon 15[IKE] <con30000|107578> sending XAuth vendor ID Nov 10 08:55:59 charon 15[IKE] <con30000|107578> activating ISAKMP_NATD task Nov 10 08:55:59 charon 15[IKE] <con30000|107578> activating ISAKMP_CERT_POST task Nov 10 08:55:59 charon 15[IKE] <con30000|107578> activating MAIN_MODE task Nov 10 08:55:59 charon 15[IKE] <con30000|107578> activating ISAKMP_CERT_PRE task Nov 10 08:55:59 charon 15[IKE] <con30000|107578> activating ISAKMP_VENDOR task Nov 10 08:55:59 charon 15[IKE] <con30000|107578> activating new tasks Nov 10 08:55:59 charon 15[IKE] <con30000|107578> queueing QUICK_MODE task Nov 10 08:55:59 charon 15[IKE] <con30000|107578> queueing ISAKMP_NATD task Nov 10 08:55:59 charon 15[IKE] <con30000|107578> queueing ISAKMP_CERT_POST task Nov 10 08:55:59 charon 15[IKE] <con30000|107578> queueing MAIN_MODE task Nov 10 08:55:59 charon 15[IKE] <con30000|107578> queueing ISAKMP_CERT_PRE task Nov 10 08:55:59 charon 15[IKE] <con30000|107578> queueing ISAKMP_VENDOR task</con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578></con30000|107578>
What do they say when the tunnel is down?
On this particulary tunnel they send keep alive (i did a new post https://forum.pfsense.org/index.php?topic=120811.0 )
beside this, when the tunnel is down but i see it up i see this: sending retransmit. Google says that is an issue of the"rekey" option. In my case some tunnels works better with checked "disabel rekey" some works better without checked "disable rekey". Also i tried to look if DPD was a problem…but can't say with eccuracy if helped.Are both of your endpoints PfSense?
No, none of them uses pfSense. Endpoint have different manufacturer as Cisco ASA, Check Point, Sonicwall and so one.
When does the channel become unstable, after the 8 hour default re-authentication or just at any time?
It happen randomely. I really can't tell you what is the trigger what makes them unstable. Some tunnel get instable after Minutes, some after hours on utilizing again the tunnel. as i mencioned, the reconnect wont work untill i restart the tunnel manualy.
If it is only some IKE channels being effected and all are configured the same (at the PfSense end) then it might suggest other endpoint might have some configuration issues (old ACLs etc causing issues). In the past I have found it easier to completely rebuild some endpoints to make sure old configurations weren't causing an issue.
I tried this option several times but without success. And now nearly every tunnel has some issue, exepcionaly 3 or 4 worke good. So i decided to change the most affected tunnel back to Cisco ASA.
About the old ACLs etc causing issue… i saw in pfsense the option to "configure Unique Ids as" under VPN / Ipsec / Advanced Settings, you think this may cause issues as well? At the moment is configured default as "YES"
-
the tunnel is down (as i see on the remote site) but on the pfSense under Status / IPsec / Overview i see the tunnel up but only outgoing traffic.
Why did the other side drop the tunnel? What is in the logs there? What hardware is on the other side?
Is DPD enabled on that tunnel?
I would concentrate on one tunnel that is problematic.
-
Why did the other side drop the tunnel? What is in the logs there?
on the ASA i saw this log after the tunnel went down:
4|Nov 10 2016|14:07:27|113019|||||Group = r.r.r.r, Username = r.r.r.r, IP = r.r.r.r, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:30m:25s, Bytes xmt: 406, Bytes rcv: 408, Reason: Idle Timeout
i dont get it why the session terminates only after 30min 25s when the livetime is of 600s.
also i ask me why pfsense sends keep alive and why will tried 3 times to keep the tunnel alive.here are the logs on the oter end (HW: Cisco ASA 5505):
6|Nov 10 2016|14:09:29|302016|r.r.r.r|4500|x.x.x.x|4500|Teardown UDP connection 26009 for Internet_Network:r.r.r.r/4500 to identity:x.x.x.x/4500 duration 0:32:27 bytes 9869 6|Nov 10 2016|14:08:07|106015|z.z.z.z|49446|x.x.x.x|443|Deny TCP (no connection) from z.z.z.z/49446 to x.x.x.x/443 flags FIN ACK on interface Internet_Network 6|Nov 10 2016|14:08:07|302014|z.z.z.z|49446|x.x.x.x|443|Teardown TCP connection 26016 for Internet_Network:z.z.z.z/49446 to identity:x.x.x.x/443 duration 0:00:00 bytes 393 TCP Reset-O 6|Nov 10 2016|14:08:07|725007|z.z.z.z|49446|||SSL session with client Internet_Network:z.z.z.z/49446 terminated. 6|Nov 10 2016|14:08:07|605005|z.z.z.z|49446|x.x.x.x|https|Login permitted from z.z.z.z/49446 to Internet_Network:x.x.x.x/https for user "enable_15" 6|Nov 10 2016|14:08:07|725002|z.z.z.z|49446|||Device completed SSL handshake with client Internet_Network:z.z.z.z/49446 6|Nov 10 2016|14:08:07|725003|z.z.z.z|49446|||SSL client Internet_Network:z.z.z.z/49446 request to resume previous session. 6|Nov 10 2016|14:08:07|725001|z.z.z.z|49446|||Starting SSL handshake with client Internet_Network:z.z.z.z/49446 for TLSv1 session. 6|Nov 10 2016|14:08:07|302013|z.z.z.z|49446|x.x.x.x|443|Built inbound TCP connection 26016 for Internet_Network:z.z.z.z/49446 (z.z.z.z/49446) to identity:x.x.x.x/443 (x.x.x.x/443) 6|Nov 10 2016|14:08:07|106015|z.z.z.z|49445|x.x.x.x|443|Deny TCP (no connection) from z.z.z.z/49445 to x.x.x.x/443 flags FIN ACK on interface Internet_Network 6|Nov 10 2016|14:08:07|302014|z.z.z.z|49445|x.x.x.x|443|Teardown TCP connection 26015 for Internet_Network:z.z.z.z/49445 to identity:x.x.x.x/443 duration 0:00:00 bytes 1161 TCP Reset-O 6|Nov 10 2016|14:08:07|725007|z.z.z.z|49445|||SSL session with client Internet_Network:z.z.z.z/49445 terminated. 6|Nov 10 2016|14:08:07|605005|z.z.z.z|49445|x.x.x.x|https|Login permitted from z.z.z.z/49445 to Internet_Network:x.x.x.x/https for user "enable_15" 6|Nov 10 2016|14:08:07|725002|z.z.z.z|49445|||Device completed SSL handshake with client Internet_Network:z.z.z.z/49445 6|Nov 10 2016|14:08:07|725003|z.z.z.z|49445|||SSL client Internet_Network:z.z.z.z/49445 request to resume previous session. 6|Nov 10 2016|14:08:07|725001|z.z.z.z|49445|||Starting SSL handshake with client Internet_Network:z.z.z.z/49445 for TLSv1 session. 6|Nov 10 2016|14:08:07|302013|z.z.z.z|49445|x.x.x.x|443|Built inbound TCP connection 26015 for Internet_Network:z.z.z.z/49445 (z.z.z.z/49445) to identity:x.x.x.x/443 (x.x.x.x/443) 6|Nov 10 2016|14:08:07|106015|z.z.z.z|49444|x.x.x.x|443|Deny TCP (no connection) from z.z.z.z/49444 to x.x.x.x/443 flags FIN ACK on interface Internet_Network 6|Nov 10 2016|14:08:07|302014|z.z.z.z|49444|x.x.x.x|443|Teardown TCP connection 26014 for Internet_Network:z.z.z.z/49444 to identity:x.x.x.x/443 duration 0:00:00 bytes 1294 TCP Reset-O 6|Nov 10 2016|14:08:07|725007|z.z.z.z|49444|||SSL session with client Internet_Network:z.z.z.z/49444 terminated. 6|Nov 10 2016|14:08:07|605005|z.z.z.z|49444|x.x.x.x|https|Login permitted from z.z.z.z/49444 to Internet_Network:x.x.x.x/https for user "enable_15" 6|Nov 10 2016|14:08:07|725002|z.z.z.z|49444|||Device completed SSL handshake with client Internet_Network:z.z.z.z/49444 6|Nov 10 2016|14:08:07|106015|z.z.z.z|49443|x.x.x.x|443|Deny TCP (no connection) from z.z.z.z/49443 to x.x.x.x/443 flags FIN ACK on interface Internet_Network 6|Nov 10 2016|14:08:07|302014|z.z.z.z|49443|x.x.x.x|443|Teardown TCP connection 26013 for Internet_Network:z.z.z.z/49443 to identity:x.x.x.x/443 duration 0:00:00 bytes 2062 TCP Reset-O 6|Nov 10 2016|14:08:07|725007|z.z.z.z|49443|||SSL session with client Internet_Network:z.z.z.z/49443 terminated. 6|Nov 10 2016|14:08:07|605005|z.z.z.z|49443|x.x.x.x|https|Login permitted from z.z.z.z/49443 to Internet_Network:x.x.x.x/https for user "enable_15" 6|Nov 10 2016|14:08:07|725002|z.z.z.z|49443|||Device completed SSL handshake with client Internet_Network:z.z.z.z/49443 6|Nov 10 2016|14:08:07|725001|z.z.z.z|49444|||Starting SSL handshake with client Internet_Network:z.z.z.z/49444 for TLSv1 session. 6|Nov 10 2016|14:08:07|302013|z.z.z.z|49444|x.x.x.x|443|Built inbound TCP connection 26014 for Internet_Network:z.z.z.z/49444 (z.z.z.z/49444) to identity:x.x.x.x/443 (x.x.x.x/443) 6|Nov 10 2016|14:08:07|725001|z.z.z.z|49443|||Starting SSL handshake with client Internet_Network:z.z.z.z/49443 for TLSv1 session. 6|Nov 10 2016|14:08:07|302013|z.z.z.z|49443|x.x.x.x|443|Built inbound TCP connection 26013 for Internet_Network:z.z.z.z/49443 (z.z.z.z/49443) to identity:x.x.x.x/443 (x.x.x.x/443) 2|Nov 10 2016|14:07:57|321006|||||System Memory usage reached 87% 6|Nov 10 2016|14:07:27|602304|||||IPSEC: An inbound LAN-to-LAN SA (SPI= 0x5502FDDA) between r.r.r.r and x.x.x.x (user= r.r.r.r) has been deleted. 6|Nov 10 2016|14:07:27|602304|||||IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC849C2F7) between x.x.x.x and r.r.r.r (user= r.r.r.r) has been deleted. 5|Nov 10 2016|14:07:27|713050|||||Group = r.r.r.r, IP = r.r.r.r, Connection terminated for peer r.r.r.r. Reason: IPSec SA Idle Timeout Remote Proxy n.n.n.n, Local Proxy s.s.s.s 4|Nov 10 2016|14:07:27|113019|||||Group = r.r.r.r, Username = r.r.r.r, IP = r.r.r.r, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:30m:25s, Bytes xmt: 406, Bytes rcv: 408, Reason: Idle Timeout 5|Nov 10 2016|14:07:27|713259|||||Group = r.r.r.r, IP = r.r.r.r, Session is being torn down. Reason: Idle Timeout 5|Nov 10 2016|14:07:02|713119|||||Group = r.r.r.r, IP = r.r.r.r, PHASE 1 COMPLETED 6|Nov 10 2016|14:07:02|713172|||||Group = r.r.r.r, IP = r.r.r.r, Automatic NAT Detection Status: Remote end IS behind a NAT device This end IS behind a NAT device 5|Nov 10 2016|14:07:02|713041|||||IP = r.r.r.r, IKE Initiator: Rekeying Phase 1, Intf Internet_Network, IKE Peer r.r.r.r local Proxy Address 0.0.0.0, remote Proxy Address 0.0.0.0, Crypto map (N/A) 6|Nov 10 2016|14:03:31|302010|||||3 in use, 9 most used 6|Nov 10 2016|14:03:02|602304|||||IPSEC: An inbound LAN-to-LAN SA (SPI= 0xA6CD8BE9) between r.r.r.r and x.x.x.x (user= r.r.r.r) has been deleted. 6|Nov 10 2016|14:03:02|602304|||||IPSEC: An outbound LAN-to-LAN SA (SPI= 0xCC5FECED) between x.x.x.x and r.r.r.r (user= r.r.r.r) has been deleted. 2|Nov 10 2016|14:02:57|321006|||||System Memory usage reached 87% 3|Nov 10 2016|14:02:37|313001|a.a.a.a||||Denied ICMP type=9, code=0 from a.a.a.a on interface Endpoint_Network 5|Nov 10 2016|14:02:32|713120|||||Group = r.r.r.r, IP = r.r.r.r, PHASE 2 COMPLETED (msgid=8e8ff814) 6|Nov 10 2016|14:02:32|602303|||||IPSEC: An inbound LAN-to-LAN SA (SPI= 0x5502FDDA) between x.x.x.x and r.r.r.r (user= r.r.r.r) has been created. 5|Nov 10 2016|14:02:32|713049|||||Group = r.r.r.r, IP = r.r.r.r, Security negotiation complete for LAN-to-LAN Group (r.r.r.r) Initiator, Inbound SPI = 0x5502fdda, Outbound SPI = 0xc849c2f7 6|Nov 10 2016|14:02:32|602303|||||IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC849C2F7) between x.x.x.x and r.r.r.r (user= r.r.r.r) has been created. 5|Nov 10 2016|14:02:32|713041|||||Group = r.r.r.r, IP = r.r.r.r, IKE Initiator: Rekeying Phase 2, Intf Internet_Network, IKE Peer r.r.r.r local Proxy Address s.s.s.s, remote Proxy Address n.n.n.n, Crypto map (Internet_Network_map) 5|Nov 10 2016|13:59:32|713119|||||Group = r.r.r.r, IP = r.r.r.r, PHASE 1 COMPLETED 6|Nov 10 2016|13:59:32|713172|||||Group = r.r.r.r, IP = r.r.r.r, Automatic NAT Detection Status: Remote end IS behind a NAT device This end IS behind a NAT device 5|Nov 10 2016|13:59:32|713041|||||IP = r.r.r.r, IKE Initiator: Rekeying Phase 1, Intf Internet_Network, IKE Peer r.r.r.r local Proxy Address 0.0.0.0, remote Proxy Address 0.0.0.0, Crypto map (N/A) 2|Nov 10 2016|13:57:57|321006|||||System Memory usage reached 87% 6|Nov 10 2016|13:56:41|302016|y.y.y.y|123|x.x.x.x|65535|Teardown UDP connection 26012 for Internet_Network:y.y.y.y/123 to identity:x.x.x.x/65535 duration 0:02:02 bytes 96 6|Nov 10 2016|13:54:38|302015|x.x.x.x|65535|y.y.y.y|123|Built outbound UDP connection 26012 for Internet_Network:y.y.y.y/123 (y.y.y.y/123) to identity:x.x.x.x/65535 (x.x.x.x/65535) 6|Nov 10 2016|13:54:32|602304|||||IPSEC: An inbound LAN-to-LAN SA (SPI= 0x9209869F) between r.r.r.r and x.x.x.x (user= r.r.r.r) has been deleted. 6|Nov 10 2016|13:54:32|602304|||||IPSEC: An outbound LAN-to-LAN SA (SPI= 0xCCCCBD1F) between x.x.x.x and r.r.r.r (user= r.r.r.r) has been deleted. 5|Nov 10 2016|13:54:02|713120|||||Group = r.r.r.r, IP = r.r.r.r, PHASE 2 COMPLETED (msgid=4ee14563) 6|Nov 10 2016|13:54:02|602303|||||IPSEC: An inbound LAN-to-LAN SA (SPI= 0xA6CD8BE9) between x.x.x.x and r.r.r.r (user= r.r.r.r) has been created. 6|Nov 10 2016|13:54:02|602303|||||IPSEC: An outbound LAN-to-LAN SA (SPI= 0xCC5FECED) between x.x.x.x and r.r.r.r (user= r.r.r.r) has been created. 5|Nov 10 2016|13:54:02|713049|||||Group = r.r.r.r, IP = r.r.r.r, Security negotiation complete for LAN-to-LAN Group (r.r.r.r) Initiator, Inbound SPI = 0xa6cd8be9, Outbound SPI = 0xcc5feced 5|Nov 10 2016|13:54:02|713041|||||Group = r.r.r.r, IP = r.r.r.r, IKE Initiator: Rekeying Phase 2, Intf Internet_Network, IKE Peer r.r.r.r local Proxy Address s.s.s.s, remote Proxy Address n.n.n.n, Crypto map (Internet_Network_map) 3|Nov 10 2016|13:54:00|313001|a.a.a.a||||Denied ICMP type=9, code=0 from a.a.a.a on interface Endpoint_Network 6|Nov 10 2016|13:53:27|302010|||||3 in use, 9 most used 2|Nov 10 2016|13:52:57|321006|||||System Memory usage reached 87% 5|Nov 10 2016|13:52:02|713119|||||Group = r.r.r.r, IP = r.r.r.r, PHASE 1 COMPLETED 6|Nov 10 2016|13:52:02|713172|||||Group = r.r.r.r, IP = r.r.r.r, Automatic NAT Detection Status: Remote end IS behind a NAT device This end IS behind a NAT device 5|Nov 10 2016|13:52:02|713041|||||IP = r.r.r.r, IKE Initiator: Rekeying Phase 1, Intf Internet_Network, IKE Peer r.r.r.r local Proxy Address 0.0.0.0, remote Proxy Address 0.0.0.0, Crypto map (N/A) 2|Nov 10 2016|13:47:57|321006|||||System Memory usage reached 87% 6|Nov 10 2016|13:46:01|602304|||||IPSEC: An inbound LAN-to-LAN SA (SPI= 0xA3135448) between r.r.r.r and x.x.x.x (user= r.r.r.r) has been deleted. 6|Nov 10 2016|13:46:01|602304|||||IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC0D62FF4) between x.x.x.x and r.r.r.r (user= r.r.r.r) has been deleted. 5|Nov 10 2016|13:45:32|713120|||||Group = r.r.r.r, IP = r.r.r.r, PHASE 2 COMPLETED (msgid=4eae9738) 6|Nov 10 2016|13:45:32|602303|||||IPSEC: An inbound LAN-to-LAN SA (SPI= 0x9209869F) between x.x.x.x and r.r.r.r (user= r.r.r.r) has been created. 6|Nov 10 2016|13:45:32|602303|||||IPSEC: An outbound LAN-to-LAN SA (SPI= 0xCCCCBD1F) between x.x.x.x and r.r.r.r (user= r.r.r.r) has been created. 5|Nov 10 2016|13:45:32|713049|||||Group = r.r.r.r, IP = r.r.r.r, Security negotiation complete for LAN-to-LAN Group (r.r.r.r) Initiator, Inbound SPI = 0x9209869f, Outbound SPI = 0xccccbd1f 5|Nov 10 2016|13:45:31|713041|||||Group = r.r.r.r, IP = r.r.r.r, IKE Initiator: Rekeying Phase 2, Intf Internet_Network, IKE Peer r.r.r.r local Proxy Address s.s.s.s, remote Proxy Address n.n.n.n, Crypto map (Internet_Network_map) 5|Nov 10 2016|13:44:32|713119|||||Group = r.r.r.r, IP = r.r.r.r, PHASE 1 COMPLETED 6|Nov 10 2016|13:44:31|713172|||||Group = r.r.r.r, IP = r.r.r.r, Automatic NAT Detection Status: Remote end IS behind a NAT device This end IS behind a NAT device 5|Nov 10 2016|13:44:31|713041|||||IP = r.r.r.r, IKE Initiator: Rekeying Phase 1, Intf Internet_Network, IKE Peer r.r.r.r local Proxy Address 0.0.0.0, remote Proxy Address 0.0.0.0, Crypto map (N/A) 3|Nov 10 2016|13:44:19|313001|a.a.a.a||||Denied ICMP type=9, code=0 from a.a.a.a on interface Endpoint_Network 6|Nov 10 2016|13:43:24|302010|||||3 in use, 9 most used 2|Nov 10 2016|13:42:57|321006|||||System Memory usage reached 87% 6|Nov 10 2016|13:39:36|302016|y.y.y.y|123|x.x.x.x|65535|Teardown UDP connection 26011 for Internet_Network:y.y.y.y/123 to identity:x.x.x.x/65535 duration 0:02:02 bytes 96 6|Nov 10 2016|13:39:04|302016|r.r.r.r|500|x.x.x.x|500|Teardown UDP connection 26008 for Internet_Network:r.r.r.r/500 to identity:x.x.x.x/500 duration 0:02:02 bytes 848 2|Nov 10 2016|13:37:57|321006|||||System Memory usage reached 87% 6|Nov 10 2016|13:37:47|305012|n.n.n.n|49175|d.d.d.d|49175|Teardown dynamic TCP translation from Internet_Network:n.n.n.n/49175 to Endpoint_Network:d.d.d.d/49175 duration 0:00:42 6|Nov 10 2016|13:37:34|302015|x.x.x.x|65535|y.y.y.y|123|Built outbound UDP connection 26011 for Internet_Network:y.y.y.y/123 (y.y.y.y/123) to identity:x.x.x.x/65535 (x.x.x.x/65535) 6|Nov 10 2016|13:37:16|302014|192.9.200.100|23|n.n.n.n|49175|Teardown TCP connection 26010 for Endpoint_Network:192.9.200.100/23 to Internet_Network:n.n.n.n/49175 duration 0:00:11 bytes 110 TCP FINs 6|Nov 10 2016|13:37:04|302013|n.n.n.n|49175|192.9.200.100|23|Built outbound TCP connection 26010 for Endpoint_Network:192.9.200.100/23 (192.9.200.100/23) to Internet_Network:n.n.n.n/49175 (d.d.d.d/49175) 6|Nov 10 2016|13:37:04|305011|n.n.n.n|49175|d.d.d.d|49175|Built dynamic TCP translation from Internet_Network:n.n.n.n/49175 to Endpoint_Network:d.d.d.d/49175 5|Nov 10 2016|13:37:01|713120|||||Group = r.r.r.r, IP = r.r.r.r, PHASE 2 COMPLETED (msgid=c73b9bf2) 6|Nov 10 2016|13:37:01|602303|||||IPSEC: An inbound LAN-to-LAN SA (SPI= 0xA3135448) between x.x.x.x and r.r.r.r (user= r.r.r.r) has been created. 5|Nov 10 2016|13:37:01|713049|||||Group = r.r.r.r, IP = r.r.r.r, Security negotiation complete for LAN-to-LAN Group (r.r.r.r) Responder, Inbound SPI = 0xa3135448, Outbound SPI = 0xc0d62ff4 6|Nov 10 2016|13:37:01|602303|||||IPSEC: An outbound LAN-to-LAN SA (SPI= 0xC0D62FF4) between x.x.x.x and r.r.r.r (user= r.r.r.r) has been created. 5|Nov 10 2016|13:37:01|713076|||||Group = r.r.r.r, IP = r.r.r.r, Overriding Initiator's IPSec rekeying duration from 0 to 4608000 Kbs 5|Nov 10 2016|13:37:01|713075|||||Group = r.r.r.r, IP = r.r.r.r, Overriding Initiator's IPSec rekeying duration from 0 to 600 seconds 5|Nov 10 2016|13:37:01|713119|||||Group = r.r.r.r, IP = r.r.r.r, PHASE 1 COMPLETED 6|Nov 10 2016|13:37:01|113009|||||AAA retrieved default group policy (GroupPolicy_r.r.r.r) for user = r.r.r.r 6|Nov 10 2016|13:37:01|713905|||||Group = r.r.r.r, IP = r.r.r.r, Floating NAT-T from r.r.r.r port 500 to r.r.r.r port 4500 6|Nov 10 2016|13:37:01|713172|||||Group = r.r.r.r, IP = r.r.r.r, Automatic NAT Detection Status: Remote end IS behind a NAT device This end IS behind a NAT device 6|Nov 10 2016|13:37:01|302015|r.r.r.r|4500|x.x.x.x|4500|Built inbound UDP connection 26009 for Internet_Network:r.r.r.r/4500 (r.r.r.r/4500) to identity:x.x.x.x/4500 (x.x.x.x/4500) 6|Nov 10 2016|13:37:01|302015|r.r.r.r|500|x.x.x.x|500|Built inbound UDP connection 26008 for Internet_Network:r.r.r.r/500 (r.r.r.r/500) to identity:x.x.x.x/500 (x.x.x.x/500)
the same log on the pfSense:
Nov 10 14:07:27 charon 08[IKE] <con11000|108034> IKE_SA con11000[108034] state change: DELETING => DESTROYING Nov 10 14:07:27 charon 08[IKE] <con11000|108034> IKE_SA con11000[108034] state change: DELETING => DELETING Nov 10 14:07:27 charon 08[IKE] <con11000|108034> IKE_SA con11000[108034] state change: ESTABLISHED => DELETING Nov 10 14:07:27 charon 08[IKE] <con11000|108034> deleting IKE_SA con11000[108034] between l.l.l.l[i.i.i.i]...p.p.p.p[192.168.1.168] Nov 10 14:07:27 charon 08[IKE] <con11000|108034> received DELETE for IKE_SA con11000[108034] Nov 10 14:07:27 charon 08[ENC] <con11000|108034> parsed INFORMATIONAL_V1 request 3508151741 [ HASH D ] Nov 10 14:07:27 charon 08[NET] <con11000|108034> received packet: from p.p.p.p[4500] to l.l.l.l[4500] (92 bytes) Nov 10 14:07:27 charon 05[IKE] <con11000|108034> closing CHILD_SA con11000{68429} with SPIs c849c2f7_i (0 bytes) 5502fdda_o (0 bytes) and TS n.n.n.n/32|m.m.m.m/32 === s.s.s.s/28|/0 Nov 10 14:07:27 charon 05[IKE] <con11000|108034> received DELETE for ESP CHILD_SA with SPI 5502fdda Nov 10 14:07:27 charon 05[ENC] <con11000|108034> parsed INFORMATIONAL_V1 request 2213762896 [ HASH D ] Nov 10 14:07:27 charon 05[NET] <con11000|108034> received packet: from p.p.p.p[4500] to l.l.l.l[4500] (76 bytes) Nov 10 14:07:22 charon 14[IKE] <con11000|108034> sending keep alive to p.p.p.p[4500] Nov 10 14:07:12 charon 15[IKE] <con11000|108023> IKE_SA con11000[108023] state change: DELETING => DESTROYING Nov 10 14:07:12 charon 15[NET] <con11000|108023> sending packet: from l.l.l.l[4500] to p.p.p.p[4500] (92 bytes) Nov 10 14:07:12 charon 15[ENC] <con11000|108023> generating INFORMATIONAL_V1 request 733948215 [ HASH D ] Nov 10 14:07:12 charon 15[IKE] <con11000|108023> IKE_SA con11000[108023] state change: ESTABLISHED => DELETING Nov 10 14:07:12 charon 15[IKE] <con11000|108023> sending DELETE for IKE_SA con11000[108023] Nov 10 14:07:12 charon 15[IKE] <con11000|108023> deleting IKE_SA con11000[108023] between l.l.l.l[i.i.i.i]...p.p.p.p[192.168.1.168] Nov 10 14:07:12 charon 15[IKE] <con11000|108023> activating ISAKMP_DELETE task Nov 10 14:07:12 charon 15[IKE] <con11000|108023> activating new tasks Nov 10 14:07:12 charon 15[IKE] <con11000|108023> queueing ISAKMP_DELETE task Nov 10 14:07:02 charon 06[NET] <con11000|108034> sending packet: from l.l.l.l[4500] to p.p.p.p[4500] (76 bytes) Nov 10 14:07:02 charon 06[ENC] <con11000|108034> generating ID_PROT response 0 [ ID HASH ] Nov 10 14:07:02 charon 06[IKE] <con11000|108034> IKE_SA con11000[108034] state change: CONNECTING => ESTABLISHED Nov 10 14:07:02 charon 06[IKE] <con11000|108034> IKE_SA con11000[108034] established between l.l.l.l[i.i.i.i]...p.p.p.p[192.168.1.168] Nov 10 14:07:02 charon 06[IKE] <con11000|108023> detected reauth of existing IKE_SA, adopting 1 children and 0 virtual IPs Nov 10 14:07:02 charon 06[CFG] <108034> selected peer config "con11000" Nov 10 14:07:02 charon 06[CFG] <108034> candidate "con11000", match: 1/20/3100 (me/other/ike) Nov 10 14:07:02 charon 06[CFG] <108034> candidate "con11000", match: 1/1/3100 (me/other/ike) Nov 10 14:06:55 charon 13[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 14:06:35 charon 10[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 14:06:15 charon 08[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 14:05:55 charon 05[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 14:05:35 charon 07[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 14:05:15 charon 08[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 14:04:55 charon 10[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 14:04:35 charon 13[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 14:04:15 charon 14[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 14:03:55 charon 05[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 14:03:35 charon 08[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 14:03:15 charon 12[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 14:03:02 charon 10[IKE] <con11000|108023> closing CHILD_SA con11000{68422} with SPIs cc5feced_i (0 bytes) a6cd8be9_o (0 bytes) and TS n.n.n.n/32|m.m.m.m/32 === s.s.s.s/28|/0 Nov 10 14:03:02 charon 10[IKE] <con11000|108023> received DELETE for ESP CHILD_SA with SPI a6cd8be9 Nov 10 14:03:02 charon 10[ENC] <con11000|108023> parsed INFORMATIONAL_V1 request 2111878595 [ HASH D ] Nov 10 14:03:02 charon 10[NET] <con11000|108023> received packet: from p.p.p.p[4500] to l.l.l.l[4500] (76 bytes) Nov 10 14:02:55 charon 14[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 14:02:32 charon 10[IKE] <con11000|108023> CHILD_SA con11000{68429} established with SPIs c849c2f7_i 5502fdda_o and TS n.n.n.n/32|m.m.m.m/32 === s.s.s.s/28|/0 Nov 10 14:02:32 charon 10[CHD] <con11000|108023> SPI 0x5502fdda, src l.l.l.l dst p.p.p.p Nov 10 14:02:32 charon 10[CHD] <con11000|108023> adding outbound ESP SA Nov 10 14:02:32 charon 10[CHD] <con11000|108023> SPI 0xc849c2f7, src p.p.p.p dst l.l.l.l Nov 10 14:02:32 charon 10[CHD] <con11000|108023> adding inbound ESP SA Nov 10 14:02:32 charon 10[CHD] <con11000|108023> using HMAC_SHA1_96 for integrity Nov 10 14:02:32 charon 10[CHD] <con11000|108023> using AES_CBC for encryption Nov 10 14:02:32 charon 10[ENC] <con11000|108023> parsed QUICK_MODE request 2391799828 [ HASH ] Nov 10 14:02:32 charon 10[NET] <con11000|108023> received packet: from p.p.p.p[4500] to l.l.l.l[4500] (76 bytes) Nov 10 14:02:32 charon 10[NET] <con11000|108023> sending packet: from l.l.l.l[4500] to p.p.p.p[4500] (332 bytes) Nov 10 14:02:32 charon 10[ENC] <con11000|108023> generating QUICK_MODE response 2391799828 [ HASH SA No KE ID ID ] Nov 10 14:02:32 charon 10[IKE] <con11000|108023> detected rekeying of CHILD_SA con11000{68422} Nov 10 14:02:32 charon 10[IKE] <con11000|108023> received 4608000000 lifebytes, configured 0 Nov 10 14:02:32 charon 10[IKE] <con11000|108023> received 600s lifetime, configured 0s Nov 10 14:02:32 charon 10[CFG] <con11000|108023> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Nov 10 14:02:32 charon 10[CFG] <con11000|108023> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Nov 10 14:02:32 charon 10[CFG] <con11000|108023> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Nov 10 14:02:32 charon 10[CFG] <con11000|108023> proposal matches Nov 10 14:02:32 charon 10[CFG] <con11000|108023> selecting proposal: Nov 10 14:02:32 charon 10[CFG] <con11000|108023> config: n.n.n.n/32|m.m.m.m/32, received: n.n.n.n/32|/0 => match: n.n.n.n/32|m.m.m.m/32 Nov 10 14:02:32 charon 10[CFG] <con11000|108023> selecting traffic selectors for us: Nov 10 14:02:32 charon 10[CFG] <con11000|108023> config: s.s.s.s/28|/0, received: s.s.s.s/28|/0 => match: s.s.s.s/28|/0 Nov 10 14:02:32 charon 10[CFG] <con11000|108023> selecting traffic selectors for other: Nov 10 14:02:32 charon 10[CFG] <con11000|108023> found matching child config "con11000" with prio 10 Nov 10 14:02:32 charon 10[CFG] <con11000|108023> candidate "con11000" with prio 5+5 Nov 10 14:02:32 charon 10[CFG] <con11000|108023> s.s.s.s/28|/0 Nov 10 14:02:32 charon 10[CFG] <con11000|108023> proposing traffic selectors for other: Nov 10 14:02:32 charon 10[CFG] <con11000|108023> n.n.n.n/32|m.m.m.m/32 Nov 10 14:02:32 charon 10[CFG] <con11000|108023> proposing traffic selectors for us: Nov 10 14:02:32 charon 10[CFG] <con11000|108023> looking for a child config for n.n.n.n/32|/0 === s.s.s.s/28|/0 Nov 10 14:02:32 charon 10[ENC] <con11000|108023> parsed QUICK_MODE request 2391799828 [ HASH SA No KE ID ID ] Nov 10 14:02:32 charon 10[NET] <con11000|108023> received packet: from p.p.p.p[4500] to l.l.l.l[4500] (316 bytes) Nov 10 14:02:12 charon 05[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 14:01:52 charon 11[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 14:01:32 charon 10[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 14:01:12 charon 07[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 14:00:52 charon 11[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 14:00:32 charon 05[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 14:00:12 charon 07[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 13:59:52 charon 07[IKE] <con11000|108023> sending keep alive to p.p.p.p[4500] Nov 10 13:59:42 charon 15[IKE] <con11000|108010> IKE_SA con11000[108010] state change: DELETING => DESTROYING Nov 10 13:59:42 charon 15[NET] <con11000|108010> sending packet: from l.l.l.l[4500] to p.p.p.p[4500] (92 bytes) Nov 10 13:59:42 charon 15[ENC] <con11000|108010> generating INFORMATIONAL_V1 request 1160198279 [ HASH D ] Nov 10 13:59:42 charon 15[IKE] <con11000|108010> IKE_SA con11000[108010] state change: ESTABLISHED => DELETING Nov 10 13:59:42 charon 15[IKE] <con11000|108010> sending DELETE for IKE_SA con11000[108010] Nov 10 13:59:42 charon 15[IKE] <con11000|108010> deleting IKE_SA con11000[108010] between l.l.l.l[i.i.i.i]...p.p.p.p[192.168.1.168] Nov 10 13:59:42 charon 15[IKE] <con11000|108010> activating ISAKMP_DELETE task Nov 10 13:59:42 charon 15[IKE] <con11000|108010> activating new tasks Nov 10 13:59:42 charon 15[IKE] <con11000|108010> queueing ISAKMP_DELETE task Nov 10 13:59:32 charon 14[NET] <con11000|108023> sending packet: from l.l.l.l[4500] to p.p.p.p[4500] (76 bytes) Nov 10 13:59:32 charon 14[ENC] <con11000|108023> generating ID_PROT response 0 [ ID HASH ] Nov 10 13:59:32 charon 14[IKE] <con11000|108023> IKE_SA con11000[108023] state change: CONNECTING => ESTABLISHED Nov 10 13:59:32 charon 14[IKE] <con11000|108023> IKE_SA con11000[108023] established between l.l.l.l[i.i.i.i]...p.p.p.p[192.168.1.168] Nov 10 13:59:32 charon 14[IKE] <con11000|108010> detected reauth of existing IKE_SA, adopting 1 children and 0 virtual IPs Nov 10 13:59:32 charon 14[CFG] <108023> selected peer config "con11000" Nov 10 13:59:32 charon 14[CFG] <108023> candidate "con11000", match: 1/20/3100 (me/other/ike) Nov 10 13:59:32 charon 14[CFG] <108023> candidate "con11000", match: 1/1/3100 (me/other/ike) Nov 10 13:59:26 charon 08[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:59:06 charon 16[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:58:46 charon 16[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:58:26 charon 16[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:58:06 charon 12[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:57:46 charon 09[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:57:26 charon 13[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:57:06 charon 08[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:56:46 charon 16[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:56:26 charon 16[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:56:06 charon 16[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:55:46 charon 11[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:55:26 charon 13[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:55:06 charon 16[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:54:46 charon 05[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:54:32 charon 15[IKE] <con11000|108010> closing CHILD_SA con11000{68415} with SPIs ccccbd1f_i (0 bytes) 9209869f_o (0 bytes) and TS n.n.n.n/32|m.m.m.m/32 === s.s.s.s/28|/0 Nov 10 13:54:32 charon 15[IKE] <con11000|108010> received DELETE for ESP CHILD_SA with SPI 9209869f Nov 10 13:54:32 charon 15[ENC] <con11000|108010> parsed INFORMATIONAL_V1 request 3551107460 [ HASH D ] Nov 10 13:54:32 charon 15[NET] <con11000|108010> received packet: from p.p.p.p[4500] to l.l.l.l[4500] (76 bytes) Nov 10 13:54:26 charon 14[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:54:02 charon 05[IKE] <con11000|108010> CHILD_SA con11000{68422} established with SPIs cc5feced_i a6cd8be9_o and TS n.n.n.n/32|m.m.m.m/32 === s.s.s.s/28|/0 Nov 10 13:54:02 charon 05[CHD] <con11000|108010> SPI 0xa6cd8be9, src l.l.l.l dst p.p.p.p Nov 10 13:54:02 charon 05[CHD] <con11000|108010> adding outbound ESP SA Nov 10 13:54:02 charon 05[CHD] <con11000|108010> SPI 0xcc5feced, src p.p.p.p dst l.l.l.l Nov 10 13:54:02 charon 05[CHD] <con11000|108010> adding inbound ESP SA Nov 10 13:54:02 charon 05[CHD] <con11000|108010> using HMAC_SHA1_96 for integrity Nov 10 13:54:02 charon 05[CHD] <con11000|108010> using AES_CBC for encryption Nov 10 13:54:02 charon 05[ENC] <con11000|108010> parsed QUICK_MODE request 1323386211 [ HASH ] Nov 10 13:54:02 charon 05[NET] <con11000|108010> received packet: from p.p.p.p[4500] to l.l.l.l[4500] (76 bytes) Nov 10 13:54:02 charon 05[NET] <con11000|108010> sending packet: from l.l.l.l[4500] to p.p.p.p[4500] (332 bytes) Nov 10 13:54:02 charon 05[ENC] <con11000|108010> generating QUICK_MODE response 1323386211 [ HASH SA No KE ID ID ] Nov 10 13:54:02 charon 05[IKE] <con11000|108010> detected rekeying of CHILD_SA con11000{68415} Nov 10 13:54:02 charon 05[IKE] <con11000|108010> received 4608000000 lifebytes, configured 0 Nov 10 13:54:02 charon 05[IKE] <con11000|108010> received 600s lifetime, configured 0s Nov 10 13:54:02 charon 05[CFG] <con11000|108010> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Nov 10 13:54:02 charon 05[CFG] <con11000|108010> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Nov 10 13:54:02 charon 05[CFG] <con11000|108010> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Nov 10 13:54:02 charon 05[CFG] <con11000|108010> proposal matches Nov 10 13:54:02 charon 05[CFG] <con11000|108010> selecting proposal: Nov 10 13:54:02 charon 05[CFG] <con11000|108010> config: n.n.n.n/32|m.m.m.m/32, received: n.n.n.n/32|/0 => match: n.n.n.n/32|m.m.m.m/32 Nov 10 13:54:02 charon 05[CFG] <con11000|108010> selecting traffic selectors for us: Nov 10 13:54:02 charon 05[CFG] <con11000|108010> config: s.s.s.s/28|/0, received: s.s.s.s/28|/0 => match: s.s.s.s/28|/0 Nov 10 13:54:02 charon 05[CFG] <con11000|108010> selecting traffic selectors for other: Nov 10 13:54:02 charon 05[CFG] <con11000|108010> found matching child config "con11000" with prio 10 Nov 10 13:54:02 charon 05[CFG] <con11000|108010> candidate "con11000" with prio 5+5 Nov 10 13:54:02 charon 05[CFG] <con11000|108010> s.s.s.s/28|/0 Nov 10 13:54:02 charon 05[CFG] <con11000|108010> proposing traffic selectors for other: Nov 10 13:54:02 charon 05[CFG] <con11000|108010> n.n.n.n/32|m.m.m.m/32 Nov 10 13:54:02 charon 05[CFG] <con11000|108010> proposing traffic selectors for us: Nov 10 13:54:02 charon 05[CFG] <con11000|108010> looking for a child config for n.n.n.n/32|/0 === s.s.s.s/28|/0 Nov 10 13:54:02 charon 05[ENC] <con11000|108010> parsed QUICK_MODE request 1323386211 [ HASH SA No KE ID ID ] Nov 10 13:54:02 charon 05[NET] <con11000|108010> received packet: from p.p.p.p[4500] to l.l.l.l[4500] (316 bytes) Nov 10 13:53:42 charon 05[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:53:22 charon 11[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:53:02 charon 15[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:52:42 charon 08[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:52:22 charon 09[IKE] <con11000|108010> sending keep alive to p.p.p.p[4500] Nov 10 13:52:12 charon 07[IKE] <con11000|107997> IKE_SA con11000[107997] state change: DELETING => DESTROYING Nov 10 13:52:12 charon 07[NET] <con11000|107997> sending packet: from l.l.l.l[4500] to p.p.p.p[4500] (92 bytes) Nov 10 13:52:12 charon 07[ENC] <con11000|107997> generating INFORMATIONAL_V1 request 4029578563 [ HASH D ] Nov 10 13:52:12 charon 07[IKE] <con11000|107997> IKE_SA con11000[107997] state change: ESTABLISHED => DELETING Nov 10 13:52:12 charon 07[IKE] <con11000|107997> sending DELETE for IKE_SA con11000[107997] Nov 10 13:52:12 charon 07[IKE] <con11000|107997> deleting IKE_SA con11000[107997] between l.l.l.l[i.i.i.i]...p.p.p.p[192.168.1.168] Nov 10 13:52:12 charon 07[IKE] <con11000|107997> activating ISAKMP_DELETE task Nov 10 13:52:12 charon 07[IKE] <con11000|107997> activating new tasks Nov 10 13:52:12 charon 07[IKE] <con11000|107997> queueing ISAKMP_DELETE task Nov 10 13:52:02 charon 10[NET] <con11000|108010> sending packet: from l.l.l.l[4500] to p.p.p.p[4500] (76 bytes) Nov 10 13:52:02 charon 10[ENC] <con11000|108010> generating ID_PROT response 0 [ ID HASH ] Nov 10 13:52:02 charon 10[IKE] <con11000|108010> IKE_SA con11000[108010] state change: CONNECTING => ESTABLISHED Nov 10 13:52:02 charon 10[IKE] <con11000|108010> IKE_SA con11000[108010] established between l.l.l.l[i.i.i.i]...p.p.p.p[192.168.1.168] Nov 10 13:52:02 charon 10[IKE] <con11000|107997> detected reauth of existing IKE_SA, adopting 1 children and 0 virtual IPs Nov 10 13:52:02 charon 10[CFG] <108010> selected peer config "con11000" Nov 10 13:52:02 charon 10[CFG] <108010> candidate "con11000", match: 1/20/3100 (me/other/ike) Nov 10 13:52:02 charon 11[CFG] <108010> candidate "con11000", match: 1/1/3100 (me/other/ike) Nov 10 13:51:56 charon 05[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:51:36 charon 11[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:51:16 charon 10[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:50:56 charon 12[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:50:36 charon 05[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:50:16 charon 06[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:49:56 charon 11[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:49:36 charon 07[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:49:16 charon 09[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:48:56 charon 08[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:48:36 charon 13[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:48:16 charon 07[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:47:56 charon 16[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:47:36 charon 10[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:47:16 charon 16[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:46:56 charon 14[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:46:36 charon 09[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:46:16 charon 16[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:46:02 charon 16[IKE] <con11000|107997> closing CHILD_SA con11000{68405} with SPIs c0d62ff4_i (406 bytes) a3135448_o (984 bytes) and TS n.n.n.n/32|m.m.m.m/32 === s.s.s.s/28|/0 Nov 10 13:46:02 charon 16[IKE] <con11000|107997> received DELETE for ESP CHILD_SA with SPI a3135448 Nov 10 13:46:02 charon 16[ENC] <con11000|107997> parsed INFORMATIONAL_V1 request 2348753231 [ HASH D ] Nov 10 13:46:02 charon 16[NET] <con11000|107997> received packet: from p.p.p.p[4500] to l.l.l.l[4500] (76 bytes) Nov 10 13:45:56 charon 05[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:45:32 charon 10[IKE] <con11000|107997> CHILD_SA con11000{68415} established with SPIs ccccbd1f_i 9209869f_o and TS n.n.n.n/32|m.m.m.m/32 === s.s.s.s/28|/0 Nov 10 13:45:32 charon 10[CHD] <con11000|107997> SPI 0x9209869f, src l.l.l.l dst p.p.p.p Nov 10 13:45:32 charon 10[CHD] <con11000|107997> adding outbound ESP SA Nov 10 13:45:32 charon 10[CHD] <con11000|107997> SPI 0xccccbd1f, src p.p.p.p dst l.l.l.l Nov 10 13:45:32 charon 10[CHD] <con11000|107997> adding inbound ESP SA Nov 10 13:45:32 charon 10[CHD] <con11000|107997> using HMAC_SHA1_96 for integrity Nov 10 13:45:32 charon 10[CHD] <con11000|107997> using AES_CBC for encryption Nov 10 13:45:32 charon 10[ENC] <con11000|107997> parsed QUICK_MODE request 1320064824 [ HASH ] Nov 10 13:45:32 charon 10[NET] <con11000|107997> received packet: from p.p.p.p[4500] to l.l.l.l[4500] (76 bytes) Nov 10 13:45:32 charon 07[NET] <con11000|107997> sending packet: from l.l.l.l[4500] to p.p.p.p[4500] (332 bytes) Nov 10 13:45:32 charon 07[ENC] <con11000|107997> generating QUICK_MODE response 1320064824 [ HASH SA No KE ID ID ] Nov 10 13:45:32 charon 07[IKE] <con11000|107997> detected rekeying of CHILD_SA con11000{68405} Nov 10 13:45:32 charon 07[IKE] <con11000|107997> received 4608000000 lifebytes, configured 0 Nov 10 13:45:32 charon 07[IKE] <con11000|107997> received 600s lifetime, configured 0s Nov 10 13:45:32 charon 07[CFG] <con11000|107997> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Nov 10 13:45:32 charon 07[CFG] <con11000|107997> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Nov 10 13:45:32 charon 07[CFG] <con11000|107997> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Nov 10 13:45:32 charon 07[CFG] <con11000|107997> proposal matches Nov 10 13:45:32 charon 07[CFG] <con11000|107997> selecting proposal: Nov 10 13:45:32 charon 07[CFG] <con11000|107997> config: n.n.n.n/32|m.m.m.m/32, received: n.n.n.n/32|/0 => match: n.n.n.n/32|m.m.m.m/32 Nov 10 13:45:32 charon 07[CFG] <con11000|107997> selecting traffic selectors for us: Nov 10 13:45:32 charon 07[CFG] <con11000|107997> config: s.s.s.s/28|/0, received: s.s.s.s/28|/0 => match: s.s.s.s/28|/0 Nov 10 13:45:32 charon 07[CFG] <con11000|107997> selecting traffic selectors for other: Nov 10 13:45:32 charon 07[CFG] <con11000|107997> found matching child config "con11000" with prio 10 Nov 10 13:45:32 charon 07[CFG] <con11000|107997> candidate "con11000" with prio 5+5 Nov 10 13:45:32 charon 07[CFG] <con11000|107997> s.s.s.s/28|/0 Nov 10 13:45:32 charon 07[CFG] <con11000|107997> proposing traffic selectors for other: Nov 10 13:45:32 charon 07[CFG] <con11000|107997> n.n.n.n/32|m.m.m.m/32 Nov 10 13:45:32 charon 07[CFG] <con11000|107997> proposing traffic selectors for us: Nov 10 13:45:32 charon 07[CFG] <con11000|107997> looking for a child config for n.n.n.n/32|/0 === s.s.s.s/28|/0 Nov 10 13:45:32 charon 07[ENC] <con11000|107997> parsed QUICK_MODE request 1320064824 [ HASH SA No KE ID ID ] Nov 10 13:45:32 charon 07[NET] <con11000|107997> received packet: from p.p.p.p[4500] to l.l.l.l[4500] (316 bytes) Nov 10 13:45:12 charon 09[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:44:51 charon 08[IKE] <con11000|107997> sending keep alive to p.p.p.p[4500] Nov 10 13:44:42 charon 16[IKE] <con11000|107984> IKE_SA con11000[107984] state change: DELETING => DESTROYING Nov 10 13:44:42 charon 16[NET] <con11000|107984> sending packet: from l.l.l.l[4500] to p.p.p.p[4500] (92 bytes) Nov 10 13:44:42 charon 16[ENC] <con11000|107984> generating INFORMATIONAL_V1 request 3797664847 [ HASH D ] Nov 10 13:44:42 charon 16[IKE] <con11000|107984> IKE_SA con11000[107984] state change: ESTABLISHED => DELETING Nov 10 13:44:42 charon 16[IKE] <con11000|107984> sending DELETE for IKE_SA con11000[107984] Nov 10 13:44:42 charon 16[IKE] <con11000|107984> deleting IKE_SA con11000[107984] between l.l.l.l[i.i.i.i]...p.p.p.p[192.168.1.168] Nov 10 13:44:42 charon 16[IKE] <con11000|107984> activating ISAKMP_DELETE task Nov 10 13:44:42 charon 16[IKE] <con11000|107984> activating new tasks Nov 10 13:44:42 charon 16[IKE] <con11000|107984> queueing ISAKMP_DELETE task Nov 10 13:44:37 charon 08[IKE] <con11000|107984> sending keep alive to p.p.p.p[4500] Nov 10 13:44:31 charon 08[NET] <con11000|107997> sending packet: from l.l.l.l[4500] to p.p.p.p[4500] (76 bytes) Nov 10 13:44:31 charon 08[ENC] <con11000|107997> generating ID_PROT response 0 [ ID HASH ] Nov 10 13:44:31 charon 08[IKE] <con11000|107997> IKE_SA con11000[107997] state change: CONNECTING => ESTABLISHED Nov 10 13:44:31 charon 08[IKE] <con11000|107997> IKE_SA con11000[107997] established between l.l.l.l[i.i.i.i]...p.p.p.p[192.168.1.168] Nov 10 13:44:31 charon 08[IKE] <con11000|107984> detected reauth of existing IKE_SA, adopting 1 children and 0 virtual IPs Nov 10 13:44:31 charon 08[CFG] <107997> selected peer config "con11000" Nov 10 13:44:31 charon 08[CFG] <107997> candidate "con11000", match: 1/20/3100 (me/other/ike) Nov 10 13:44:31 charon 08[CFG] <107997> candidate "con11000", match: 1/1/3100 (me/other/ike) Nov 10 13:44:17 charon 16[IKE] <con11000|107984> sending keep alive to p.p.p.p[4500] Nov 10 13:43:57 charon 08[IKE] <con11000|107984> sending keep alive to p.p.p.p[4500] Nov 10 13:43:37 charon 09[IKE] <con11000|107984> sending keep alive to p.p.p.p[4500] Nov 10 13:43:17 charon 11[IKE] <con11000|107984> sending keep alive to p.p.p.p[4500] Nov 10 13:42:57 charon 12[IKE] <con11000|107984> sending keep alive to p.p.p.p[4500] Nov 10 13:42:37 charon 13[IKE] <con11000|107984> sending keep alive to p.p.p.p[4500] Nov 10 13:42:17 charon 07[IKE] <con11000|107984> sending keep alive to p.p.p.p[4500] Nov 10 13:41:57 charon 05[IKE] <con11000|107984> sending keep alive to p.p.p.p[4500] Nov 10 13:41:37 charon 06[IKE] <con11000|107984> sending keep alive to p.p.p.p[4500] Nov 10 13:41:17 charon 05[IKE] <con11000|107984> sending keep alive to p.p.p.p[4500] Nov 10 13:40:57 charon 06[IKE] <con11000|107984> sending keep alive to p.p.p.p[4500] Nov 10 13:40:37 charon 05[IKE] <con11000|107984> sending keep alive to p.p.p.p[4500] Nov 10 13:40:17 charon 16[IKE] <con11000|107984> sending keep alive to p.p.p.p[4500] Nov 10 13:39:57 charon 05[IKE] <con11000|107984> sending keep alive to p.p.p.p[4500]</con11000|107984></con11000|107984></con11000|107984></con11000|107984></con11000|107984></con11000|107984></con11000|107984></con11000|107984></con11000|107984></con11000|107984></con11000|107984></con11000|107984></con11000|107984></con11000|107984></con11000|107984></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107984></con11000|107984></con11000|107984></con11000|107984></con11000|107984></con11000|107984></con11000|107984></con11000|107984></con11000|107984></con11000|107984></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|107997></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108010></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108034></con11000|108034></con11000|108034></con11000|108034></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108023></con11000|108034></con11000|108034></con11000|108034></con11000|108034></con11000|108034></con11000|108034></con11000|108034></con11000|108034></con11000|108034></con11000|108034></con11000|108034></con11000|108034>
Why this entry on the pfSense:
Nov 10 14:02:32 charon 10[IKE] <con11000|108023> received 4608000000 lifebytes, configured 0 Nov 10 14:02:32 charon 10[IKE] <con11000|108023> received 600s lifetime, configured 0s</con11000|108023></con11000|108023>
DPD is disabled because i want that the tunnes shutts down after 600s (because of testing the tunnel for our implemented alarm) on the other site DPD is enabled
Disable rekey is checked -
The ASA looks to be disconnecting it.
-
Thank you Derelict,
this is ok when ASA terminates the tunnel, but why only after 30Min and not after 10Min as i set the tunnel?
And is it normal that pfsense sends the keep alive?