IPSec DNAT not working
-
@viragomann This has cropped up once again. The customer has since changed the P1 tunnel to a routed VTI type and rather than having several Phase 2 tunnels. They now have a single P2 with a broader subnet to capture all remote networks.
When we now try and create/connect the IPv4 Phase tunnel for the RDP to isolated network, it kills the other tunnel completely. Would this be expected due to the P1 type?
-
M Matt_Sharpe referenced this topic on
-
@viragomann this is being picked back up and I'm at a loss at present. When we try and create a P2 tunnel for the NAT, it just takes the other P2 offline.
Is there any other way of accomplishing this NAT when coming across an IPsec tunnel? A form of double NAT etc?
I've tried adding a VIP/IP Alias for the address they're trying to hit across the tunnel, which should then NAT to the Isolated IP.
I've created a Hybrid outbound NAT so it knows how to communicate across interfaces, nothing working.
-
@Matt_Sharpe
It's not clear to me, what you actually have. Did you mix VTI and policy-based (BINAT) tunnels?Post both tunnel settings and the IPSec log.
-
@viragomann So the current working configuration (without the NAT requirements) is a single VTI tunnel with manual static routes configured.
I tried adding the second P2 tunnel for the RDP NAT as you previously suggested, but the other tunnel was then impacted.
This was a few hours ago, do you want the log for when the other P2 tunnel is created?
-
@Matt_Sharpe
As far as I know, you cannot mix routed and policy-based IPSec.However, this should not be necessary. NAT should be possible on the VTI interface directly.
You have to assign an interface to the VTI tunnel first, if you didn't this already.
Than you can assign a virtual IP of type IP alias to it and NAT it to whatever you want. -
@viragomann So I already have an interface assigned for the IPSEC tunnel. Named 'IPSEC'.
I am however unable to assign an IP address to this interface manually:
"This interface type does not support manual address configuration on this page"
It seems to pull the IP address from the Gateways list but it's set as 'Dynamic'.
If I try and add an IP Alias to the IPSEC interface we get:
-
@Matt_Sharpe
So I assume, this is not the VTI interface.
Go to interface > assignments. Can you see the IPSec there? -
@viragomann Yes, I see the VTI in the list (customer information excluded of course)
-
@Matt_Sharpe
OK, the virtual IP should not really be needed. You can apply NAT rules also without it.
You have to switch the IPsec Filter Mode in the IPsec Advanced Settings to "Filter IPsec VTI and Transport on assigned interfaces, block all tunnel mode traffic".
However, this only works, if all your IPSec tunnels are VTI! If this is not given you cannot use it. -
@viragomann Unfortunately, we have 2 tunnels, the other one into Azure is a tunnel-based IPsec.
Do we have any other options ?
-
@Matt_Sharpe
This is the only way to get traditional NAT rules working on IPSec.The only other option is routed IPSec with BINAT. But I don't know if this works simultaneously with a VTI tunnel. I assume, it should.
Maybe the setting and the log can shed some light. -
@viragomann I added the second Phase 2 IPsec (tunnel mode). Here are the IPsec logs shortly after enabling the tunnel. I've changed IP addresses for security.
PART 1
Last 500 IPsec Log Entries. (Maximum 500)
Jan 16 14:40:07 charon 75651 06[CFG] vici client 1276 disconnected
Jan 16 14:40:07 charon 75651 12[CFG] updated vici connection: con2
Jan 16 14:40:07 charon 75651 12[CFG] id = CUSTOMER_WAN_IP
Jan 16 14:40:07 charon 75651 12[CFG] class = pre-shared key
Jan 16 14:40:07 charon 75651 12[CFG] remote:
Jan 16 14:40:07 charon 75651 12[CFG] id = PROVIDER_WAN_IP
Jan 16 14:40:07 charon 75651 12[CFG] class = pre-shared key
Jan 16 14:40:07 charon 75651 12[CFG] local:
Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
Jan 16 14:40:07 charon 75651 12[CFG] proposals = IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 2880
Jan 16 14:40:07 charon 75651 12[CFG] over_time = 2880
Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 25920
Jan 16 14:40:07 charon 75651 12[CFG] reauth_time = 0
Jan 16 14:40:07 charon 75651 12[CFG] keyingtries = 1
Jan 16 14:40:07 charon 75651 12[CFG] unique = UNIQUE_REPLACE
Jan 16 14:40:07 charon 75651 12[CFG] childless = 0
Jan 16 14:40:07 charon 75651 12[CFG] fragmentation = 2
Jan 16 14:40:07 charon 75651 12[CFG] dpd_timeout = 0
Jan 16 14:40:07 charon 75651 12[CFG] dpd_delay = 30
Jan 16 14:40:07 charon 75651 12[CFG] encap = 0
Jan 16 14:40:07 charon 75651 12[CFG] dscp = 0x00
Jan 16 14:40:07 charon 75651 12[CFG] aggressive = 0
Jan 16 14:40:07 charon 75651 12[CFG] mobike = 0
Jan 16 14:40:07 charon 75651 12[CFG] ppk_required = 0
Jan 16 14:40:07 charon 75651 12[CFG] ppk_id = (null)
Jan 16 14:40:07 charon 75651 12[CFG] send_cert = CERT_SEND_IF_ASKED
Jan 16 14:40:07 charon 75651 12[CFG] send_certreq = 1
Jan 16 14:40:07 charon 75651 12[CFG] remote_port = 500
Jan 16 14:40:07 charon 75651 12[CFG] local_port = 500
Jan 16 14:40:07 charon 75651 12[CFG] remote_addrs = CUSTOMER_WAN_IP
Jan 16 14:40:07 charon 75651 12[CFG] local_addrs = PROVIDER_WAN_IP
Jan 16 14:40:07 charon 75651 12[CFG] version = 2
Jan 16 14:40:07 charon 75651 12[CFG] copy_dscp = out
Jan 16 14:40:07 charon 75651 12[CFG] copy_ecn = 1
Jan 16 14:40:07 charon 75651 12[CFG] copy_df = 1
Jan 16 14:40:07 charon 75651 12[CFG] sha256_96 = 0
Jan 16 14:40:07 charon 75651 12[CFG] hw_offload = no
Jan 16 14:40:07 charon 75651 12[CFG] remote_ts = CUSTOMER_LAN_RANGE|/0 0.0.0.0/0|/0 ::/0|/0
Jan 16 14:40:07 charon 75651 12[CFG] local_ts = SITE2_LAN_IP/32|SITE2_ISOLATED_LAN_IP/32 0.0.0.0/0|/0 ::/0|/0
Jan 16 14:40:07 charon 75651 12[CFG] proposals = ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jan 16 14:40:07 charon 75651 12[CFG] inactivity = 0
Jan 16 14:40:07 charon 75651 12[CFG] label_mode = system
Jan 16 14:40:07 charon 75651 12[CFG] label = (null)
Jan 16 14:40:07 charon 75651 12[CFG] set_mark_out = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] set_mark_in = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] mark_out = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] mark_in_sa = 0
Jan 16 14:40:07 charon 75651 12[CFG] mark_in = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
Jan 16 14:40:07 charon 75651 12[CFG] interface = (null)
Jan 16 14:40:07 charon 75651 12[CFG] priority = 0
Jan 16 14:40:07 charon 75651 12[CFG] tfc = 0
Jan 16 14:40:07 charon 75651 12[CFG] reqid = 5003
Jan 16 14:40:07 charon 75651 12[CFG] close_action = none
Jan 16 14:40:07 charon 75651 12[CFG] start_action = start
Jan 16 14:40:07 charon 75651 12[CFG] dpd_action = start
Jan 16 14:40:07 charon 75651 12[CFG] policies_fwd_out = 0
Jan 16 14:40:07 charon 75651 12[CFG] policies = 1
Jan 16 14:40:07 charon 75651 12[CFG] mode = TUNNEL
Jan 16 14:40:07 charon 75651 12[CFG] ipcomp = 0
Jan 16 14:40:07 charon 75651 12[CFG] hostaccess = 0
Jan 16 14:40:07 charon 75651 12[CFG] updown = (null)
Jan 16 14:40:07 charon 75651 12[CFG] rand_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] life_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] rekey_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] rand_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] life_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] rekey_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 360
Jan 16 14:40:07 charon 75651 12[CFG] life_time = 3600
Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 3240
Jan 16 14:40:07 charon 75651 12[CFG] child con2_3:
Jan 16 14:40:07 charon 75651 12[CFG] copy_dscp = out
Jan 16 14:40:07 charon 75651 12[CFG] copy_ecn = 1
Jan 16 14:40:07 charon 75651 12[CFG] copy_df = 1
Jan 16 14:40:07 charon 75651 12[CFG] sha256_96 = 0
Jan 16 14:40:07 charon 75651 12[CFG] hw_offload = no
Jan 16 14:40:07 charon 75651 12[CFG] remote_ts = VTI_CUSTOMER_IP/32|/0 0.0.0.0/0|/0 ::/0|/0
Jan 16 14:40:07 charon 75651 12[CFG] local_ts = VTI_SITE2_IP/32|/0 0.0.0.0/0|/0 ::/0|/0
Jan 16 14:40:07 charon 75651 12[CFG] proposals = ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jan 16 14:40:07 charon 75651 12[CFG] inactivity = 0
Jan 16 14:40:07 charon 75651 12[CFG] label_mode = system
Jan 16 14:40:07 charon 75651 12[CFG] label = (null)
Jan 16 14:40:07 charon 75651 12[CFG] set_mark_out = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] set_mark_in = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] mark_out = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] mark_in_sa = 0
Jan 16 14:40:07 charon 75651 12[CFG] mark_in = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
Jan 16 14:40:07 charon 75651 12[CFG] interface = (null)
Jan 16 14:40:07 charon 75651 12[CFG] priority = 0
Jan 16 14:40:07 charon 75651 12[CFG] tfc = 0
Jan 16 14:40:07 charon 75651 12[CFG] reqid = 5002
Jan 16 14:40:07 charon 75651 12[CFG] close_action = none
Jan 16 14:40:07 charon 75651 12[CFG] start_action = start
Jan 16 14:40:07 charon 75651 12[CFG] dpd_action = start
Jan 16 14:40:07 charon 75651 12[CFG] policies_fwd_out = 0
Jan 16 14:40:07 charon 75651 12[CFG] policies = 0
Jan 16 14:40:07 charon 75651 12[CFG] mode = TUNNEL
Jan 16 14:40:07 charon 75651 12[CFG] ipcomp = 0
Jan 16 14:40:07 charon 75651 12[CFG] hostaccess = 0
Jan 16 14:40:07 charon 75651 12[CFG] updown = (null)
Jan 16 14:40:07 charon 75651 12[CFG] rand_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] life_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] rekey_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] rand_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] life_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] rekey_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 360
Jan 16 14:40:07 charon 75651 12[CFG] life_time = 3600
Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 3240
Jan 16 14:40:07 charon 75651 12[CFG] child con2_2:
Jan 16 14:40:07 charon 75651 12[CFG] conn con2:
Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: load-conn
Jan 16 14:40:07 charon 75651 12[CFG] updated vici connection: con1
Jan 16 14:40:07 charon 75651 12[CFG] id = AZURE_IP
Jan 16 14:40:07 charon 75651 12[CFG] class = pre-shared key
Jan 16 14:40:07 charon 75651 12[CFG] remote:
Jan 16 14:40:07 charon 75651 12[CFG] id = PROVIDER_WAN_IP
Jan 16 14:40:07 charon 75651 12[CFG] class = pre-shared key
Jan 16 14:40:07 charon 75651 12[CFG] local:
Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
Jan 16 14:40:07 charon 75651 12[CFG] proposals = IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 2880
Jan 16 14:40:07 charon 75651 12[CFG] over_time = 2880
Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 0
Jan 16 14:40:07 charon 75651 12[CFG] reauth_time = 25920
Jan 16 14:40:07 charon 75651 12[CFG] keyingtries = 1
Jan 16 14:40:07 charon 75651 12[CFG] unique = UNIQUE_REPLACE
Jan 16 14:40:07 charon 75651 12[CFG] childless = 0
Jan 16 14:40:07 charon 75651 12[CFG] fragmentation = 2
Jan 16 14:40:07 charon 75651 12[CFG] dpd_timeout = 60
Jan 16 14:40:07 charon 75651 12[CFG] dpd_delay = 10
Jan 16 14:40:07 charon 75651 12[CFG] encap = 0
Jan 16 14:40:07 charon 75651 12[CFG] dscp = 0x00
Jan 16 14:40:07 charon 75651 12[CFG] aggressive = 0
Jan 16 14:40:07 charon 75651 12[CFG] mobike = 0
Jan 16 14:40:07 charon 75651 12[CFG] ppk_required = 0
Jan 16 14:40:07 charon 75651 12[CFG] ppk_id = (null)
Jan 16 14:40:07 charon 75651 12[CFG] send_cert = CERT_SEND_IF_ASKED
Jan 16 14:40:07 charon 75651 12[CFG] send_certreq = 1
Jan 16 14:40:07 charon 75651 12[CFG] remote_port = 500
Jan 16 14:40:07 charon 75651 12[CFG] local_port = 500
Jan 16 14:40:07 charon 75651 12[CFG] remote_addrs = AZURE_IP
Jan 16 14:40:07 charon 75651 12[CFG] local_addrs = PROVIDER_WAN_IP
Jan 16 14:40:07 charon 75651 12[CFG] version = 1
Jan 16 14:40:07 charon 75651 12[CFG] copy_dscp = out
Jan 16 14:40:07 charon 75651 12[CFG] copy_ecn = 1
Jan 16 14:40:07 charon 75651 12[CFG] copy_df = 1
Jan 16 14:40:07 charon 75651 12[CFG] sha256_96 = 0
Jan 16 14:40:07 charon 75651 12[CFG] hw_offload = no
Jan 16 14:40:07 charon 75651 12[CFG] remote_ts = AZURE_LAN|/0
Jan 16 14:40:07 charon 75651 12[CFG] local_ts = SITE2_LAN|/0
Jan 16 14:40:07 charon 75651 12[CFG] proposals = ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_GCM_12_256/NO_EXT_SEQ, ESP:AES_GCM_8_256/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_12_128/NO_EXT_SEQ, ESP:AES_GCM_8_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Jan 16 14:40:07 charon 75651 12[CFG] inactivity = 0
Jan 16 14:40:07 charon 75651 12[CFG] label_mode = system
Jan 16 14:40:07 charon 75651 12[CFG] label = (null)
Jan 16 14:40:07 charon 75651 12[CFG] set_mark_out = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] set_mark_in = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] mark_out = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] mark_in_sa = 0
Jan 16 14:40:07 charon 75651 12[CFG] mark_in = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
Jan 16 14:40:07 charon 75651 12[CFG] interface = (null)
Jan 16 14:40:07 charon 75651 12[CFG] priority = 0
Jan 16 14:40:07 charon 75651 12[CFG] tfc = 0
Jan 16 14:40:07 charon 75651 12[CFG] reqid = 0
Jan 16 14:40:07 charon 75651 12[CFG] close_action = none
Jan 16 14:40:07 charon 75651 12[CFG] start_action = trap
Jan 16 14:40:07 charon 75651 12[CFG] dpd_action = trap
Jan 16 14:40:07 charon 75651 12[CFG] policies_fwd_out = 0
Jan 16 14:40:07 charon 75651 12[CFG] policies = 1
Jan 16 14:40:07 charon 75651 12[CFG] mode = TUNNEL
Jan 16 14:40:07 charon 75651 12[CFG] ipcomp = 0
Jan 16 14:40:07 charon 75651 12[CFG] hostaccess = 0
Jan 16 14:40:07 charon 75651 12[CFG] updown = (null)
Jan 16 14:40:07 charon 75651 12[CFG] rand_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] life_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] rekey_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] rand_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] life_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] rekey_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 360
Jan 16 14:40:07 charon 75651 12[CFG] life_time = 3600
Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 3240
Jan 16 14:40:07 charon 75651 12[CFG] child con1_1:
Jan 16 14:40:07 charon 75651 12[CFG] conn con1:
Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: load-conn
Jan 16 14:40:07 charon 75651 12[CFG] updated vici connection: bypass
Jan 16 14:40:07 charon 75651 12[CFG] remote:
Jan 16 14:40:07 charon 75651 12[CFG] local:
Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
Jan 16 14:40:07 charon 75651 12[CFG] proposals = IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 1440
Jan 16 14:40:07 charon 75651 12[CFG] over_time = 1440
Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 14400
Jan 16 14:40:07 charon 75651 12[CFG] reauth_time = 0
Jan 16 14:40:07 charon 75651 12[CFG] keyingtries = 1
Jan 16 14:40:07 charon 75651 12[CFG] unique = UNIQUE_NO
Jan 16 14:40:07 charon 75651 12[CFG] childless = 0
Jan 16 14:40:07 charon 75651 12[CFG] fragmentation = 2
Jan 16 14:40:07 charon 75651 12[CFG] dpd_timeout = 0
Jan 16 14:40:07 charon 75651 12[CFG] dpd_delay = 0
Jan 16 14:40:07 charon 75651 12[CFG] encap = 0
Jan 16 14:40:07 charon 75651 12[CFG] dscp = 0x00
Jan 16 14:40:07 charon 75651 12[CFG] aggressive = 0
Jan 16 14:40:07 charon 75651 12[CFG] mobike = 1
Jan 16 14:40:07 charon 75651 12[CFG] ppk_required = 0
Jan 16 14:40:07 charon 75651 12[CFG] ppk_id = (null)
Jan 16 14:40:07 charon 75651 12[CFG] send_cert = CERT_SEND_IF_ASKED
Jan 16 14:40:07 charon 75651 12[CFG] send_certreq = 1
Jan 16 14:40:07 charon 75651 12[CFG] remote_port = 500
Jan 16 14:40:07 charon 75651 12[CFG] local_port = 500
Jan 16 14:40:07 charon 75651 12[CFG] remote_addrs = 127.0.0.1
Jan 16 14:40:07 charon 75651 12[CFG] local_addrs = %any
Jan 16 14:40:07 charon 75651 12[CFG] version = 0
Jan 16 14:40:07 charon 75651 12[CFG] copy_dscp = out
Jan 16 14:40:07 charon 75651 12[CFG] copy_ecn = 1
Jan 16 14:40:07 charon 75651 12[CFG] copy_df = 1
Jan 16 14:40:07 charon 75651 12[CFG] sha256_96 = 0
Jan 16 14:40:07 charon 75651 12[CFG] hw_offload = no
Jan 16 14:40:07 charon 75651 12[CFG] remote_ts = SITE2_LAN|/0
Jan 16 14:40:07 charon 75651 12[CFG] local_ts = SITE2_LAN|/0
Jan 16 14:40:07 charon 75651 12[CFG] proposals = ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Jan 16 14:40:07 charon 75651 12[CFG] inactivity = 0
Jan 16 14:40:07 charon 75651 12[CFG] label_mode = system
Jan 16 14:40:07 charon 75651 12[CFG] label = (null)
Jan 16 14:40:07 charon 75651 12[CFG] set_mark_out = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] set_mark_in = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] mark_out = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] mark_in_sa = 0
Jan 16 14:40:07 charon 75651 12[CFG] mark_in = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
Jan 16 14:40:07 charon 75651 12[CFG] interface = (null)
Jan 16 14:40:07 charon 75651 12[CFG] priority = 0
Jan 16 14:40:07 charon 75651 12[CFG] tfc = 0
Jan 16 14:40:07 charon 75651 12[CFG] reqid = 0
Jan 16 14:40:07 charon 75651 12[CFG] close_action = none
Jan 16 14:40:07 charon 75651 12[CFG] start_action = trap
Jan 16 14:40:07 charon 75651 12[CFG] dpd_action = none
Jan 16 14:40:07 charon 75651 12[CFG] policies_fwd_out = 0 -
PART 2
Jan 16 14:40:07 charon 75651 12[CFG] policies = 1
Jan 16 14:40:07 charon 75651 12[CFG] mode = PASS
Jan 16 14:40:07 charon 75651 12[CFG] ipcomp = 0
Jan 16 14:40:07 charon 75651 12[CFG] hostaccess = 0
Jan 16 14:40:07 charon 75651 12[CFG] updown = (null)
Jan 16 14:40:07 charon 75651 12[CFG] rand_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] life_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] rekey_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] rand_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] life_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] rekey_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 360
Jan 16 14:40:07 charon 75651 12[CFG] life_time = 3960
Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 3600
Jan 16 14:40:07 charon 75651 12[CFG] child bypasslan:
Jan 16 14:40:07 charon 75651 12[CFG] conn bypass:
Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: load-conn
Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: get-conns
Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: get-pools
Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: get-authorities
Jan 16 14:40:07 charon 75651 12[CFG] loaded IKE shared key with id 'ike-1' for: '%any', 'CUSTOMER_WAN_IP'
Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: load-shared
Jan 16 14:40:07 charon 75651 12[CFG] loaded IKE shared key with id 'ike-0' for: '%any', 'AZURE_IP'
Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: load-shared
Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: get-shared
Jan 16 14:40:07 charon 75651 14[CFG] vici client 1276 requests: get-keys
Jan 16 14:40:07 charon 75651 14[CFG] vici client 1276 connected
Jan 16 14:40:07 charon 75651 07[CFG] vici client 1275 disconnected
Jan 16 14:40:07 charon 75651 07[CFG] loaded 0 RADIUS server configurations
Jan 16 14:40:07 charon 75651 07[CFG] loaded 0 entries for attr plugin configuration
Jan 16 14:40:07 charon 75651 07[CFG] ipseckey plugin is disabled
Jan 16 14:40:07 charon 75651 07[CFG] vici client 1275 requests: reload-settings
Jan 16 14:40:07 charon 75651 14[CFG] vici client 1275 connected
Jan 16 14:40:07 charon 75651 05[IKE] <con2|4> keeping statically configured path PROVIDER_WAN_IP - CUSTOMER_WAN_IP
Jan 16 14:40:07 charon 75651 05[KNL] VTI_SITE2_IP appeared on ipsec2
Jan 16 14:40:07 charon 75651 13[KNL] interface ipsec2 appeared
Jan 16 14:40:07 charon 75651 13[KNL] interface ipsec2 disappeared
Jan 16 14:40:07 charon 75651 09[KNL] interface ipsec2 deactivated
Jan 16 14:40:07 charon 75651 09[KNL] VTI_SITE2_IP disappeared from ipsec2
Jan 16 14:40:06 charon 75651 09[IKE] <con1|3> nothing to initiate
Jan 16 14:40:06 charon 75651 09[IKE] <con1|3> activating new tasks
Jan 16 14:40:06 charon 75651 09[NET] <con1|3> sending packet: from PROVIDER_WAN_IP[500] to AZURE_IP[500] (92 bytes)
Jan 16 14:40:06 charon 75651 09[ENC] <con1|3> generating INFORMATIONAL_V1 request 2819744997 [ HASH N(DPD_ACK) ]
Jan 16 14:40:06 charon 75651 09[IKE] <con1|3> activating ISAKMP_DPD task
Jan 16 14:40:06 charon 75651 09[IKE] <con1|3> activating new tasks
Jan 16 14:40:06 charon 75651 09[IKE] <con1|3> queueing ISAKMP_DPD task
Jan 16 14:40:06 charon 75651 09[ENC] <con1|3> parsed INFORMATIONAL_V1 request 1404219913 [ HASH N(DPD) ]
Jan 16 14:40:06 charon 75651 09[NET] <con1|3> received packet: from AZURE_IP[500] to PROVIDER_WAN_IP[500] (92 bytes)
Jan 16 14:40:05 charon 75651 09[CFG] vici client 1274 disconnected
Jan 16 14:40:05 charon 75651 09[CFG] vici client 1274 requests: list-sas
Jan 16 14:40:05 charon 75651 15[CFG] vici client 1274 registered for: list-sa
Jan 16 14:40:05 charon 75651 15[CFG] vici client 1274 connected
Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> nothing to initiate
Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> activating new tasks
Jan 16 14:40:02 charon 75651 09[ENC] <con1|3> parsed INFORMATIONAL_V1 request 1532146135 [ HASH N(DPD_ACK) ]
Jan 16 14:40:02 charon 75651 09[NET] <con1|3> received packet: from AZURE_IP[500] to PROVIDER_WAN_IP[500] (92 bytes)
Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> nothing to initiate
Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> activating new tasks
Jan 16 14:40:02 charon 75651 09[NET] <con1|3> sending packet: from PROVIDER_WAN_IP[500] to AZURE_IP[500] (92 bytes)
Jan 16 14:40:02 charon 75651 09[ENC] <con1|3> generating INFORMATIONAL_V1 request 1473236439 [ HASH N(DPD) ]
Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> activating ISAKMP_DPD task
Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> activating new tasks
Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> queueing ISAKMP_DPD task
Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> sending DPD request
Jan 16 14:40:00 charon 75651 09[CFG] vici client 1273 disconnected
Jan 16 14:40:00 charon 75651 15[CFG] vici client 1273 requests: list-sas
Jan 16 14:40:00 charon 75651 11[CFG] vici client 1273 registered for: list-sa
Jan 16 14:40:00 charon 75651 11[CFG] vici client 1273 connected
Jan 16 14:39:55 charon 75651 15[CFG] vici client 1272 disconnected
Jan 16 14:39:55 charon 75651 11[CFG] vici client 1272 requests: list-sas
Jan 16 14:39:55 charon 75651 08[CFG] vici client 1272 registered for: list-sa
Jan 16 14:39:55 charon 75651 11[CFG] vici client 1272 connected
Jan 16 14:39:52 charon 75651 08[IKE] <con1|3> nothing to initiate
Jan 16 14:39:52 charon 75651 08[IKE] <con1|3> activating new tasks
Jan 16 14:39:52 charon 75651 08[NET] <con1|3> sending packet: from PROVIDER_WAN_IP[500] to AZURE_IP[500] (92 bytes)
Jan 16 14:39:52 charon 75651 08[ENC] <con1|3> generating INFORMATIONAL_V1 request 316903062 [ HASH N(DPD_ACK) ]
Jan 16 14:39:52 charon 75651 08[IKE] <con1|3> activating ISAKMP_DPD task
Jan 16 14:39:52 charon 75651 08[IKE] <con1|3> activating new tasks
Jan 16 14:39:52 charon 75651 08[IKE] <con1|3> queueing ISAKMP_DPD task
Jan 16 14:39:52 charon 75651 08[ENC] <con1|3> parsed INFORMATIONAL_V1 request 2810856974 [ HASH N(DPD) ]
Jan 16 14:39:52 charon 75651 08[NET] <con1|3> received packet: from AZURE_IP[500] to PROVIDER_WAN_IP[500] (92 bytes)
Jan 16 14:39:50 charon 75651 08[CFG] vici client 1271 disconnected
Jan 16 14:39:50 charon 75651 16[CFG] vici client 1271 requests: list-sas
Jan 16 14:39:50 charon 75651 16[CFG] vici client 1271 registered for: list-sa
Jan 16 14:39:50 charon 75651 16[CFG] vici client 1271 connected
Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> nothing to initiate
Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> activating new tasks
Jan 16 14:39:48 charon 75651 11[ENC] <con1|3> parsed INFORMATIONAL_V1 request 1390613614 [ HASH N(DPD_ACK) ]
Jan 16 14:39:48 charon 75651 11[NET] <con1|3> received packet: from AZURE_IP[500] to PROVIDER_WAN_IP[500] (92 bytes)
Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> nothing to initiate
Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> activating new tasks
Jan 16 14:39:48 charon 75651 11[NET] <con1|3> sending packet: from PROVIDER_WAN_IP[500] to AZURE_IP[500] (92 bytes)
Jan 16 14:39:48 charon 75651 11[ENC] <con1|3> generating INFORMATIONAL_V1 request 2462119987 [ HASH N(DPD) ]
Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> activating ISAKMP_DPD task
Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> activating new tasks
Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> queueing ISAKMP_DPD task
Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> sending DPD request
Jan 16 14:39:45 charon 75651 11[CFG] vici client 1270 disconnected
Jan 16 14:39:45 charon 75651 16[CFG] vici client 1270 requests: list-sas
Jan 16 14:39:45 charon 75651 06[CFG] vici client 1270 registered for: list-sa
Jan 16 14:39:45 charon 75651 06[CFG] vici client 1270 connected
Jan 16 14:39:39 charon 75651 06[CFG] vici client 1269 disconnected
Jan 16 14:39:39 charon 75651 16[CFG] vici client 1269 requests: list-sas
Jan 16 14:39:39 charon 75651 10[CFG] vici client 1269 registered for: list-sa
Jan 16 14:39:39 charon 75651 10[CFG] vici client 1269 connected
Jan 16 14:39:38 charon 75651 16[IKE] <con1|3> nothing to initiate
Jan 16 14:39:38 charon 75651 16[IKE] <con1|3> activating new tasks
Jan 16 14:39:38 charon 75651 16[NET] <con1|3> sending packet: from PROVIDER_WAN_IP[500] to AZURE_IP[500] (92 bytes)
Jan 16 14:39:38 charon 75651 16[ENC] <con1|3> generating INFORMATIONAL_V1 request 1385749720 [ HASH N(DPD_ACK) ]
Jan 16 14:39:38 charon 75651 16[IKE] <con1|3> activating ISAKMP_DPD task
Jan 16 14:39:38 charon 75651 16[IKE] <con1|3> activating new tasks
Jan 16 14:39:38 charon 75651 16[IKE] <con1|3> queueing ISAKMP_DPD task
Jan 16 14:39:38 charon 75651 16[ENC] <con1|3> parsed INFORMATIONAL_V1 request 2165448184 [ HASH N(DPD) ]
Jan 16 14:39:38 charon 75651 16[NET] <con1|3> received packet: from AZURE_IP[500] to PROVIDER_WAN_IP[500] (92 bytes)
Jan 16 14:39:35 charon 75651 16[IKE] <con2|4> nothing to initiate
Jan 16 14:39:35 charon 75651 16[IKE] <con2|4> activating new tasks
Jan 16 14:39:35 charon 75651 16[CHD] <con2|4> CHILD_SA con2_3{16} state change: INSTALLING => INSTALLED
Jan 16 14:39:35 charon 75651 16[IKE] <con2|4> CHILD_SA con2_3{16} established with SPIs c0c56a7e_i bf8002fd_o and TS 0.0.0.0/0|/0 === 0.0.0.0/0|/0
Jan 16 14:39:35 charon 75651 16[CHD] <con2|4> SPI 0xbf8002fd, src PROVIDER_WAN_IP dst CUSTOMER_WAN_IP
Jan 16 14:39:35 charon 75651 16[CHD] <con2|4> adding outbound ESP SA
Jan 16 14:39:35 charon 75651 16[CHD] <con2|4> SPI 0xc0c56a7e, src CUSTOMER_WAN_IP dst PROVIDER_WAN_IP
Jan 16 14:39:35 charon 75651 16[CHD] <con2|4> adding inbound ESP SA
Jan 16 14:39:35 charon 75651 16[CHD] <con2|4> using HMAC_SHA2_256_128 for integrity
Jan 16 14:39:35 charon 75651 16[CHD] <con2|4> using AES_CBC for encryption
Jan 16 14:39:35 charon 75651 16[CHD] <con2|4> CHILD_SA con2_3{16} state change: CREATED => INSTALLING
Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> config: ::/0|/0, received: 0.0.0.0/0|/0 => no match
Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> config: 0.0.0.0/0|/0, received: 0.0.0.0/0|/0 => match: 0.0.0.0/0|/0
Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> config: CUSTOMER_LAN_RANGE|/0, received: 0.0.0.0/0|/0 => match: CUSTOMER_LAN_RANGE|/0
Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> selecting traffic selectors for other:
Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> config: ::/0|/0, received: 0.0.0.0/0|/0 => no match
Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> config: 0.0.0.0/0|/0, received: 0.0.0.0/0|/0 => match: 0.0.0.0/0|/0
Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> config: SITE2_LAN_IP/32|SITE2_ISOLATED_LAN_IP/32, received: 0.0.0.0/0|/0 => match: SITE2_LAN_IP/32|SITE2_ISOLATED_LAN_IP/32
Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> selecting traffic selectors for us:
Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> proposal matches
Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> selecting proposal:
Jan 16 14:39:35 charon 75651 16[ENC] <con2|4> parsed CREATE_CHILD_SA response 398 [ SA No KE TSi TSr ]
Jan 16 14:39:35 charon 75651 16[NET] <con2|4> received packet: from CUSTOMER_WAN_IP[500] to PROVIDER_WAN_IP[500] (464 bytes)
Jan 16 14:39:35 charon 75651 16[CFG] vici client 1268 disconnected
Jan 16 14:39:35 charon 75651 07[NET] <con2|4> sending packet: from PROVIDER_WAN_IP[500] to CUSTOMER_WAN_IP[500] (560 bytes)
Jan 16 14:39:35 charon 75651 07[ENC] <con2|4> generating CREATE_CHILD_SA request 398 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Jan 16 14:39:35 charon 75651 07[IKE] <con2|4> establishing CHILD_SA con2_3{16}
Jan 16 14:39:35 charon 75651 07[CFG] <con2|4> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jan 16 14:39:35 charon 75651 07[CFG] <con2|4> ::/0|/0
Jan 16 14:39:35 charon 75651 07[CFG] <con2|4> 0.0.0.0/0|/0
Jan 16 14:39:35 charon 75651 07[CFG] <con2|4> CUSTOMER_LAN_RANGE|/0
Jan 16 14:39:35 charon 75651 07[CFG] <con2|4> proposing traffic selectors for other:
Jan 16 14:39:35 charon 75651 07[CFG] <con2|4> ::/0|/0
Jan 16 14:39:35 charon 75651 07[CFG] <con2|4> 0.0.0.0/0|/0
Jan 16 14:39:35 charon 75651 07[CFG] <con2|4> SITE2_LAN_IP/32|SITE2_ISOLATED_LAN_IP/32
Jan 16 14:39:35 charon 75651 07[CFG] <con2|4> proposing traffic selectors for us:
Jan 16 14:39:35 charon 75651 07[IKE] <con2|4> activating CHILD_CREATE task
Jan 16 14:39:35 charon 75651 07[IKE] <con2|4> activating new tasks
Jan 16 14:39:35 charon 75651 07[IKE] <con2|4> queueing CHILD_CREATE task
Jan 16 14:39:35 charon 75651 07[CFG] initiating 'con2_3'
Jan 16 14:39:35 charon 75651 07[CFG] updated vici connection: con2
Jan 16 14:39:35 charon 75651 07[CFG] class = pre-shared key
Jan 16 14:39:35 charon 75651 07[CFG] local:
Jan 16 14:39:35 charon 75651 07[CFG] proposals = IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jan 16 14:39:35 charon 75651 07[CFG] rekey_time = 25920
Jan 16 14:39:35 charon 75651 07[CFG] fragmentation = 2
Jan 16 14:39:35 charon 75651 07[CFG] dscp = 0x00
Jan 16 14:39:35 charon 75651 07[CFG] ppk_id = (null)
Jan 16 14:39:35 charon 75651 07[CFG] local_port = 500
Jan 16 14:39:35 charon 75651 07[CFG] remote_addrs = CUSTOMER_WAN_IP
Jan 16 14:39:35 charon 75651 07[CFG] local_addrs = PROVIDER_WAN_IP
Jan 16 14:39:35 charon 75651 07[CFG] version = 2
Jan 16 14:39:35 charon 75651 07[CFG] copy_dscp = out
Jan 16 14:39:35 charon 75651 07[CFG] copy_ecn = 1
Jan 16 14:39:35 charon 75651 07[CFG] copy_df = 1
Jan 16 14:39:35 charon 75651 07[CFG] sha256_96 = 0
Jan 16 14:39:35 charon 75651 07[CFG] hw_offload = no
Jan 16 14:39:35 charon 75651 07[CFG] remote_ts = CUSTOMER_LAN_RANGE|/0 0.0.0.0/0|/0 ::/0|/0
Jan 16 14:39:35 charon 75651 07[CFG] local_ts = SITE2_LAN_IP/32|SITE2_ISOLATED_LAN_IP/32 0.0.0.0/0|/0 ::/0|/0
Jan 16 14:39:35 charon 75651 07[CFG] proposals = ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jan 16 14:39:35 charon 75651 07[CFG] inactivity = 0
Jan 16 14:39:35 charon 75651 07[CFG] label_mode = system
Jan 16 14:39:35 charon 75651 07[CFG] label = (null)
Jan 16 14:39:35 charon 75651 07[CFG] set_mark_out = 0/0
Jan 16 14:39:35 charon 75651 07[CFG] set_mark_in = 0/0
Jan 16 14:39:35 charon 75651 07[CFG] mark_out = 0/0
Jan 16 14:39:35 charon 75651 07[CFG] mark_in_sa = 0
Jan 16 14:39:35 charon 75651 07[CFG] mark_in = 0/0
Jan 16 14:39:35 charon 75651 07[CFG] if_id_out = 0
Jan 16 14:39:35 charon 75651 07[CFG] if_id_in = 0
Jan 16 14:39:35 charon 75651 07[CFG] interface = (null)
Jan 16 14:39:35 charon 75651 07[CFG] priority = 0
Jan 16 14:39:35 charon 75651 07[CFG] tfc = 0
Jan 16 14:39:35 charon 75651 07[CFG] reqid = 5003
Jan 16 14:39:35 charon 75651 07[CFG] close_action = none
Jan 16 14:39:35 charon 75651 07[CFG] start_action = start
Jan 16 14:39:35 charon 75651 07[CFG] dpd_action = start
Jan 16 14:39:35 charon 75651 07[CFG] policies_fwd_out = 0
Jan 16 14:39:35 charon 75651 07[CFG] policies = 1
Jan 16 14:39:35 charon 75651 07[CFG] mode = TUNNEL
Jan 16 14:39:35 charon 75651 07[CFG] ipcomp = 0
Jan 16 14:39:35 charon 75651 07[CFG] hostaccess = 0
Jan 16 14:39:35 charon 75651 07[CFG] updown = (null)
Jan 16 14:39:35 charon 75651 07[CFG] rand_packets = 0
Jan 16 14:39:35 charon 75651 07[CFG] life_packets = 0
Jan 16 14:39:35 charon 75651 07[CFG] rekey_packets = 0
Jan 16 14:39:35 charon 75651 07[CFG] rand_bytes = 0
Jan 16 14:39:35 charon 75651 07[CFG] life_bytes = 0
Jan 16 14:39:35 charon 75651 07[CFG] rekey_bytes = 0
Jan 16 14:39:35 charon 75651 07[CFG] rand_time = 360
Jan 16 14:39:35 charon 75651 07[CFG] life_time = 3600
Jan 16 14:39:35 charon 75651 07[CFG] rekey_time = 3240
Jan 16 14:39:35 charon 75651 07[CFG] child con2_3:
Jan 16 14:39:35 charon 75651 07[CFG] copy_dscp = out
Jan 16 14:39:35 charon 75651 07[CFG] copy_ecn = 1
Jan 16 14:39:35 charon 75651 07[CFG] copy_df = 1
Jan 16 14:39:35 charon 75651 07[CFG] sha256_96 = 0
Jan 16 14:39:35 charon 75651 07[CFG] hw_offload = no
Jan 16 14:39:35 charon 75651 07[CFG] remote_ts = VTI_CUSTOMER_IP/32|/0 0.0.0.0/0|/0 ::/0|/0
Jan 16 14:39:35 charon 75651 07[CFG] local_ts = VTI_SITE2_IP/32|/0 0.0.0.0/0|/0 ::/0|/0
Jan 16 14:39:35 charon 75651 07[CFG] proposals = ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jan 16 14:39:35 charon 75651 07[CFG] inactivity = 0
Jan 16 14:39:35 charon 75651 07[CFG] label_mode = system
Jan 16 14:39:35 charon 75651 07[CFG] label = (null)
Jan 16 14:39:35 charon 75651 07[CFG] set_mark_out = 0/0
Jan 16 14:39:35 charon 75651 07[CFG] set_mark_in = 0/0
Jan 16 14:39:35 charon 75651 07[CFG] mark_out = 0/0
Jan 16 14:39:35 charon 75651 07[CFG] mark_in_sa = 0
Jan 16 14:39:35 charon 75651 07[CFG] mark_in = 0/0
Jan 16 14:39:35 charon 75651 07[CFG] if_id_out = 0
Jan 16 14:39:35 charon 75651 07[CFG] if_id_in = 0
Jan 16 14:39:35 charon 75651 07[CFG] interface = (null)
Jan 16 14:39:35 charon 75651 07[CFG] priority = 0
Jan 16 14:39:35 charon 75651 07[CFG] tfc = 0
Jan 16 14:39:35 charon 75651 07[CFG] reqid = 5002
Jan 16 14:39:35 charon 75651 07[CFG] close_action = none
Jan 16 14:39:35 charon 75651 07[CFG] start_action = start
Jan 16 14:39:35 charon 75651 07[CFG] dpd_action = start
Jan 16 14:39:35 charon 75651 07[CFG] policies_fwd_out = 0
Jan 16 14:39:35 charon 75651 07[CFG] policies = 0
Jan 16 14:39:35 charon 75651 07[CFG] mode = TUNNEL
Jan 16 14:39:35 charon 75651 07[CFG] ipcomp = 0
Jan 16 14:39:35 charon 75651 07[CFG] hostaccess = 0
Jan 16 14:39:35 charon 75651 07[CFG] updown = (null)
Jan 16 14:39:35 charon 75651 07[CFG] rand_packets = 0
Jan 16 14:39:35 charon 75651 07[CFG] life_packets = 0
Jan 16 14:39:35 charon 75651 07[CFG] rekey_packets = 0
Jan 16 14:39:35 charon 75651 07[CFG] rand_bytes = 0
Jan 16 14:39:35 charon 75651 07[CFG] life_bytes = 0
Jan 16 14:39:35 charon 75651 07[CFG] rekey_bytes = 0
Jan 16 14:39:35 charon 75651 07[CFG] rand_time = 360
Jan 16 14:39:35 charon 75651 07[CFG] life_time = 3600
Jan 16 14:39:35 charon 75651 07[CFG] rekey_time = 3240
Jan 16 14:39:35 charon 75651 07[CFG] child con2_2: -
@Matt_Sharpe
Did you as well replace local and remote networks for any reason? -
@viragomann if you're referring to me replacing the networks in the text above, I replaced all networks, both public and private so not exposing any part of the infrastructure.
-
@Matt_Sharpe
I see. But without the info about which networks should be routed in IPSec, troubleshooting is not possible. -
@viragomann OK, allow me to simply exclude the WAN addresses. I will substitute the ranges from the logs to match this forum post:
172.16.100.1 > IPsec tunnel > 172.16.200.253 (NATs to) 172.16.210.253
-
10.199.47.1 = Provider VTI
10.199.47.2 = Customer VTIPART 1
Last 500 IPsec Log Entries. (Maximum 500)
Jan 16 14:40:07 charon 75651 06[CFG] vici client 1276 disconnected
Jan 16 14:40:07 charon 75651 12[CFG] updated vici connection: con2
Jan 16 14:40:07 charon 75651 12[CFG] id = CUSTOMER_WAN_IP
Jan 16 14:40:07 charon 75651 12[CFG] class = pre-shared key
Jan 16 14:40:07 charon 75651 12[CFG] remote:
Jan 16 14:40:07 charon 75651 12[CFG] id = PROVIDER_WAN_IP
Jan 16 14:40:07 charon 75651 12[CFG] class = pre-shared key
Jan 16 14:40:07 charon 75651 12[CFG] local:
Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
Jan 16 14:40:07 charon 75651 12[CFG] proposals = IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 2880
Jan 16 14:40:07 charon 75651 12[CFG] over_time = 2880
Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 25920
Jan 16 14:40:07 charon 75651 12[CFG] reauth_time = 0
Jan 16 14:40:07 charon 75651 12[CFG] keyingtries = 1
Jan 16 14:40:07 charon 75651 12[CFG] unique = UNIQUE_REPLACE
Jan 16 14:40:07 charon 75651 12[CFG] childless = 0
Jan 16 14:40:07 charon 75651 12[CFG] fragmentation = 2
Jan 16 14:40:07 charon 75651 12[CFG] dpd_timeout = 0
Jan 16 14:40:07 charon 75651 12[CFG] dpd_delay = 30
Jan 16 14:40:07 charon 75651 12[CFG] encap = 0
Jan 16 14:40:07 charon 75651 12[CFG] dscp = 0x00
Jan 16 14:40:07 charon 75651 12[CFG] aggressive = 0
Jan 16 14:40:07 charon 75651 12[CFG] mobike = 0
Jan 16 14:40:07 charon 75651 12[CFG] ppk_required = 0
Jan 16 14:40:07 charon 75651 12[CFG] ppk_id = (null)
Jan 16 14:40:07 charon 75651 12[CFG] send_cert = CERT_SEND_IF_ASKED
Jan 16 14:40:07 charon 75651 12[CFG] send_certreq = 1
Jan 16 14:40:07 charon 75651 12[CFG] remote_port = 500
Jan 16 14:40:07 charon 75651 12[CFG] local_port = 500
Jan 16 14:40:07 charon 75651 12[CFG] remote_addrs = CUSTOMER_WAN_IP
Jan 16 14:40:07 charon 75651 12[CFG] local_addrs = PROVIDER_WAN_IP
Jan 16 14:40:07 charon 75651 12[CFG] version = 2
Jan 16 14:40:07 charon 75651 12[CFG] copy_dscp = out
Jan 16 14:40:07 charon 75651 12[CFG] copy_ecn = 1
Jan 16 14:40:07 charon 75651 12[CFG] copy_df = 1
Jan 16 14:40:07 charon 75651 12[CFG] sha256_96 = 0
Jan 16 14:40:07 charon 75651 12[CFG] hw_offload = no
Jan 16 14:40:07 charon 75651 12[CFG] remote_ts = 172.16.100.0/24|/0 0.0.0.0/0|/0 ::/0|/0
Jan 16 14:40:07 charon 75651 12[CFG] local_ts = 172.16.200.253/32|172.16.210.253/32 0.0.0.0/0|/0 ::/0|/0
Jan 16 14:40:07 charon 75651 12[CFG] proposals = ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jan 16 14:40:07 charon 75651 12[CFG] inactivity = 0
Jan 16 14:40:07 charon 75651 12[CFG] label_mode = system
Jan 16 14:40:07 charon 75651 12[CFG] label = (null)
Jan 16 14:40:07 charon 75651 12[CFG] set_mark_out = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] set_mark_in = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] mark_out = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] mark_in_sa = 0
Jan 16 14:40:07 charon 75651 12[CFG] mark_in = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
Jan 16 14:40:07 charon 75651 12[CFG] interface = (null)
Jan 16 14:40:07 charon 75651 12[CFG] priority = 0
Jan 16 14:40:07 charon 75651 12[CFG] tfc = 0
Jan 16 14:40:07 charon 75651 12[CFG] reqid = 5003
Jan 16 14:40:07 charon 75651 12[CFG] close_action = none
Jan 16 14:40:07 charon 75651 12[CFG] start_action = start
Jan 16 14:40:07 charon 75651 12[CFG] dpd_action = start
Jan 16 14:40:07 charon 75651 12[CFG] policies_fwd_out = 0
Jan 16 14:40:07 charon 75651 12[CFG] policies = 1
Jan 16 14:40:07 charon 75651 12[CFG] mode = TUNNEL
Jan 16 14:40:07 charon 75651 12[CFG] ipcomp = 0
Jan 16 14:40:07 charon 75651 12[CFG] hostaccess = 0
Jan 16 14:40:07 charon 75651 12[CFG] updown = (null)
Jan 16 14:40:07 charon 75651 12[CFG] rand_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] life_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] rekey_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] rand_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] life_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] rekey_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 360
Jan 16 14:40:07 charon 75651 12[CFG] life_time = 3600
Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 3240
Jan 16 14:40:07 charon 75651 12[CFG] child con2_3:
Jan 16 14:40:07 charon 75651 12[CFG] copy_dscp = out
Jan 16 14:40:07 charon 75651 12[CFG] copy_ecn = 1
Jan 16 14:40:07 charon 75651 12[CFG] copy_df = 1
Jan 16 14:40:07 charon 75651 12[CFG] sha256_96 = 0
Jan 16 14:40:07 charon 75651 12[CFG] hw_offload = no
Jan 16 14:40:07 charon 75651 12[CFG] remote_ts = 10.199.47.2/32|/0 0.0.0.0/0|/0 ::/0|/0
Jan 16 14:40:07 charon 75651 12[CFG] local_ts = 10.199.47.1/32|/0 0.0.0.0/0|/0 ::/0|/0
Jan 16 14:40:07 charon 75651 12[CFG] proposals = ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jan 16 14:40:07 charon 75651 12[CFG] inactivity = 0
Jan 16 14:40:07 charon 75651 12[CFG] label_mode = system
Jan 16 14:40:07 charon 75651 12[CFG] label = (null)
Jan 16 14:40:07 charon 75651 12[CFG] set_mark_out = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] set_mark_in = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] mark_out = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] mark_in_sa = 0
Jan 16 14:40:07 charon 75651 12[CFG] mark_in = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
Jan 16 14:40:07 charon 75651 12[CFG] interface = (null)
Jan 16 14:40:07 charon 75651 12[CFG] priority = 0
Jan 16 14:40:07 charon 75651 12[CFG] tfc = 0
Jan 16 14:40:07 charon 75651 12[CFG] reqid = 5002
Jan 16 14:40:07 charon 75651 12[CFG] close_action = none
Jan 16 14:40:07 charon 75651 12[CFG] start_action = start
Jan 16 14:40:07 charon 75651 12[CFG] dpd_action = start
Jan 16 14:40:07 charon 75651 12[CFG] policies_fwd_out = 0
Jan 16 14:40:07 charon 75651 12[CFG] policies = 0
Jan 16 14:40:07 charon 75651 12[CFG] mode = TUNNEL
Jan 16 14:40:07 charon 75651 12[CFG] ipcomp = 0
Jan 16 14:40:07 charon 75651 12[CFG] hostaccess = 0
Jan 16 14:40:07 charon 75651 12[CFG] updown = (null)
Jan 16 14:40:07 charon 75651 12[CFG] rand_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] life_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] rekey_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] rand_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] life_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] rekey_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 360
Jan 16 14:40:07 charon 75651 12[CFG] life_time = 3600
Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 3240
Jan 16 14:40:07 charon 75651 12[CFG] child con2_2:
Jan 16 14:40:07 charon 75651 12[CFG] conn con2:
Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: load-conn
Jan 16 14:40:07 charon 75651 12[CFG] updated vici connection: con1
Jan 16 14:40:07 charon 75651 12[CFG] id = AZURE_WAN_IP
Jan 16 14:40:07 charon 75651 12[CFG] class = pre-shared key
Jan 16 14:40:07 charon 75651 12[CFG] remote:
Jan 16 14:40:07 charon 75651 12[CFG] id = PROVIDER_WAN_IP
Jan 16 14:40:07 charon 75651 12[CFG] class = pre-shared key
Jan 16 14:40:07 charon 75651 12[CFG] local:
Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
Jan 16 14:40:07 charon 75651 12[CFG] proposals = IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 2880
Jan 16 14:40:07 charon 75651 12[CFG] over_time = 2880
Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 0
Jan 16 14:40:07 charon 75651 12[CFG] reauth_time = 25920
Jan 16 14:40:07 charon 75651 12[CFG] keyingtries = 1
Jan 16 14:40:07 charon 75651 12[CFG] unique = UNIQUE_REPLACE
Jan 16 14:40:07 charon 75651 12[CFG] childless = 0
Jan 16 14:40:07 charon 75651 12[CFG] fragmentation = 2
Jan 16 14:40:07 charon 75651 12[CFG] dpd_timeout = 60
Jan 16 14:40:07 charon 75651 12[CFG] dpd_delay = 10
Jan 16 14:40:07 charon 75651 12[CFG] encap = 0
Jan 16 14:40:07 charon 75651 12[CFG] dscp = 0x00
Jan 16 14:40:07 charon 75651 12[CFG] aggressive = 0
Jan 16 14:40:07 charon 75651 12[CFG] mobike = 0
Jan 16 14:40:07 charon 75651 12[CFG] ppk_required = 0
Jan 16 14:40:07 charon 75651 12[CFG] ppk_id = (null)
Jan 16 14:40:07 charon 75651 12[CFG] send_cert = CERT_SEND_IF_ASKED
Jan 16 14:40:07 charon 75651 12[CFG] send_certreq = 1
Jan 16 14:40:07 charon 75651 12[CFG] remote_port = 500
Jan 16 14:40:07 charon 75651 12[CFG] local_port = 500
Jan 16 14:40:07 charon 75651 12[CFG] remote_addrs = AZURE_WAN_IP
Jan 16 14:40:07 charon 75651 12[CFG] local_addrs = PROVIDER_WAN_IP
Jan 16 14:40:07 charon 75651 12[CFG] version = 1
Jan 16 14:40:07 charon 75651 12[CFG] copy_dscp = out
Jan 16 14:40:07 charon 75651 12[CFG] copy_ecn = 1
Jan 16 14:40:07 charon 75651 12[CFG] copy_df = 1
Jan 16 14:40:07 charon 75651 12[CFG] sha256_96 = 0
Jan 16 14:40:07 charon 75651 12[CFG] hw_offload = no
Jan 16 14:40:07 charon 75651 12[CFG] remote_ts = AZURE_LAN|/0
Jan 16 14:40:07 charon 75651 12[CFG] local_ts = 172.16.200.0/24|/0
Jan 16 14:40:07 charon 75651 12[CFG] proposals = ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_GCM_12_256/NO_EXT_SEQ, ESP:AES_GCM_8_256/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_12_128/NO_EXT_SEQ, ESP:AES_GCM_8_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Jan 16 14:40:07 charon 75651 12[CFG] inactivity = 0
Jan 16 14:40:07 charon 75651 12[CFG] label_mode = system
Jan 16 14:40:07 charon 75651 12[CFG] label = (null)
Jan 16 14:40:07 charon 75651 12[CFG] set_mark_out = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] set_mark_in = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] mark_out = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] mark_in_sa = 0
Jan 16 14:40:07 charon 75651 12[CFG] mark_in = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
Jan 16 14:40:07 charon 75651 12[CFG] interface = (null)
Jan 16 14:40:07 charon 75651 12[CFG] priority = 0
Jan 16 14:40:07 charon 75651 12[CFG] tfc = 0
Jan 16 14:40:07 charon 75651 12[CFG] reqid = 0
Jan 16 14:40:07 charon 75651 12[CFG] close_action = none
Jan 16 14:40:07 charon 75651 12[CFG] start_action = trap
Jan 16 14:40:07 charon 75651 12[CFG] dpd_action = trap
Jan 16 14:40:07 charon 75651 12[CFG] policies_fwd_out = 0
Jan 16 14:40:07 charon 75651 12[CFG] policies = 1
Jan 16 14:40:07 charon 75651 12[CFG] mode = TUNNEL
Jan 16 14:40:07 charon 75651 12[CFG] ipcomp = 0
Jan 16 14:40:07 charon 75651 12[CFG] hostaccess = 0
Jan 16 14:40:07 charon 75651 12[CFG] updown = (null)
Jan 16 14:40:07 charon 75651 12[CFG] rand_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] life_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] rekey_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] rand_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] life_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] rekey_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 360
Jan 16 14:40:07 charon 75651 12[CFG] life_time = 3600
Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 3240
Jan 16 14:40:07 charon 75651 12[CFG] child con1_1:
Jan 16 14:40:07 charon 75651 12[CFG] conn con1:
Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: load-conn
Jan 16 14:40:07 charon 75651 12[CFG] updated vici connection: bypass
Jan 16 14:40:07 charon 75651 12[CFG] remote:
Jan 16 14:40:07 charon 75651 12[CFG] local:
Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
Jan 16 14:40:07 charon 75651 12[CFG] proposals = IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 1440
Jan 16 14:40:07 charon 75651 12[CFG] over_time = 1440
Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 14400
Jan 16 14:40:07 charon 75651 12[CFG] reauth_time = 0
Jan 16 14:40:07 charon 75651 12[CFG] keyingtries = 1
Jan 16 14:40:07 charon 75651 12[CFG] unique = UNIQUE_NO
Jan 16 14:40:07 charon 75651 12[CFG] childless = 0
Jan 16 14:40:07 charon 75651 12[CFG] fragmentation = 2
Jan 16 14:40:07 charon 75651 12[CFG] dpd_timeout = 0
Jan 16 14:40:07 charon 75651 12[CFG] dpd_delay = 0
Jan 16 14:40:07 charon 75651 12[CFG] encap = 0
Jan 16 14:40:07 charon 75651 12[CFG] dscp = 0x00
Jan 16 14:40:07 charon 75651 12[CFG] aggressive = 0
Jan 16 14:40:07 charon 75651 12[CFG] mobike = 1
Jan 16 14:40:07 charon 75651 12[CFG] ppk_required = 0
Jan 16 14:40:07 charon 75651 12[CFG] ppk_id = (null)
Jan 16 14:40:07 charon 75651 12[CFG] send_cert = CERT_SEND_IF_ASKED
Jan 16 14:40:07 charon 75651 12[CFG] send_certreq = 1
Jan 16 14:40:07 charon 75651 12[CFG] remote_port = 500
Jan 16 14:40:07 charon 75651 12[CFG] local_port = 500
Jan 16 14:40:07 charon 75651 12[CFG] remote_addrs = 127.0.0.1
Jan 16 14:40:07 charon 75651 12[CFG] local_addrs = %any
Jan 16 14:40:07 charon 75651 12[CFG] version = 0
Jan 16 14:40:07 charon 75651 12[CFG] copy_dscp = out
Jan 16 14:40:07 charon 75651 12[CFG] copy_ecn = 1
Jan 16 14:40:07 charon 75651 12[CFG] copy_df = 1
Jan 16 14:40:07 charon 75651 12[CFG] sha256_96 = 0
Jan 16 14:40:07 charon 75651 12[CFG] hw_offload = no
Jan 16 14:40:07 charon 75651 12[CFG] remote_ts = 172.16.200.0/24|/0
Jan 16 14:40:07 charon 75651 12[CFG] local_ts = 172.16.200.0/24|/0
Jan 16 14:40:07 charon 75651 12[CFG] proposals = ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Jan 16 14:40:07 charon 75651 12[CFG] inactivity = 0
Jan 16 14:40:07 charon 75651 12[CFG] label_mode = system
Jan 16 14:40:07 charon 75651 12[CFG] label = (null)
Jan 16 14:40:07 charon 75651 12[CFG] set_mark_out = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] set_mark_in = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] mark_out = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] mark_in_sa = 0
Jan 16 14:40:07 charon 75651 12[CFG] mark_in = 0/0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
Jan 16 14:40:07 charon 75651 12[CFG] interface = (null)
Jan 16 14:40:07 charon 75651 12[CFG] priority = 0
Jan 16 14:40:07 charon 75651 12[CFG] tfc = 0
Jan 16 14:40:07 charon 75651 12[CFG] reqid = 0
Jan 16 14:40:07 charon 75651 12[CFG] close_action = none
Jan 16 14:40:07 charon 75651 12[CFG] start_action = trap
Jan 16 14:40:07 charon 75651 12[CFG] dpd_action = none
Jan 16 14:40:07 charon 75651 12[CFG] policies_fwd_out = 0 -
Jan 16 14:40:07 charon 75651 12[CFG] policies = 1
Jan 16 14:40:07 charon 75651 12[CFG] mode = PASS
Jan 16 14:40:07 charon 75651 12[CFG] ipcomp = 0
Jan 16 14:40:07 charon 75651 12[CFG] hostaccess = 0
Jan 16 14:40:07 charon 75651 12[CFG] updown = (null)
Jan 16 14:40:07 charon 75651 12[CFG] rand_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] life_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] rekey_packets = 0
Jan 16 14:40:07 charon 75651 12[CFG] rand_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] life_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] rekey_bytes = 0
Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 360
Jan 16 14:40:07 charon 75651 12[CFG] life_time = 3960
Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 3600
Jan 16 14:40:07 charon 75651 12[CFG] child bypasslan:
Jan 16 14:40:07 charon 75651 12[CFG] conn bypass:
Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: load-conn
Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: get-conns
Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: get-pools
Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: get-authorities
Jan 16 14:40:07 charon 75651 12[CFG] loaded IKE shared key with id 'ike-1' for: '%any', 'CUSTOMER_WAN_IP'
Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: load-shared
Jan 16 14:40:07 charon 75651 12[CFG] loaded IKE shared key with id 'ike-0' for: '%any', 'AZURE_WAN_IP'
Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: load-shared
Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: get-shared
Jan 16 14:40:07 charon 75651 14[CFG] vici client 1276 requests: get-keys
Jan 16 14:40:07 charon 75651 14[CFG] vici client 1276 connected
Jan 16 14:40:07 charon 75651 07[CFG] vici client 1275 disconnected
Jan 16 14:40:07 charon 75651 07[CFG] loaded 0 RADIUS server configurations
Jan 16 14:40:07 charon 75651 07[CFG] loaded 0 entries for attr plugin configuration
Jan 16 14:40:07 charon 75651 07[CFG] ipseckey plugin is disabled
Jan 16 14:40:07 charon 75651 07[CFG] vici client 1275 requests: reload-settings
Jan 16 14:40:07 charon 75651 14[CFG] vici client 1275 connected
Jan 16 14:40:07 charon 75651 05[IKE] <con2|4> keeping statically configured path PROVIDER_WAN_IP - CUSTOMER_WAN_IP
Jan 16 14:40:07 charon 75651 05[KNL] 10.199.47.1 appeared on ipsec2
Jan 16 14:40:07 charon 75651 13[KNL] interface ipsec2 appeared
Jan 16 14:40:07 charon 75651 13[KNL] interface ipsec2 disappeared
Jan 16 14:40:07 charon 75651 09[KNL] interface ipsec2 deactivated
Jan 16 14:40:07 charon 75651 09[KNL] 10.199.47.1 disappeared from ipsec2
Jan 16 14:40:06 charon 75651 09[IKE] <con1|3> nothing to initiate
Jan 16 14:40:06 charon 75651 09[IKE] <con1|3> activating new tasks
Jan 16 14:40:06 charon 75651 09[NET] <con1|3> sending packet: from PROVIDER_WAN_IP[500] to AZURE_WAN_IP[500] (92 bytes)
Jan 16 14:40:06 charon 75651 09[ENC] <con1|3> generating INFORMATIONAL_V1 request 2819744997 [ HASH N(DPD_ACK) ]
Jan 16 14:40:06 charon 75651 09[IKE] <con1|3> activating ISAKMP_DPD task
Jan 16 14:40:06 charon 75651 09[IKE] <con1|3> activating new tasks
Jan 16 14:40:06 charon 75651 09[IKE] <con1|3> queueing ISAKMP_DPD task
Jan 16 14:40:06 charon 75651 09[ENC] <con1|3> parsed INFORMATIONAL_V1 request 1404219913 [ HASH N(DPD) ]
Jan 16 14:40:06 charon 75651 09[NET] <con1|3> received packet: from AZURE_WAN_IP[500] to PROVIDER_WAN_IP[500] (92 bytes)
Jan 16 14:40:05 charon 75651 09[CFG] vici client 1274 disconnected
Jan 16 14:40:05 charon 75651 09[CFG] vici client 1274 requests: list-sas
Jan 16 14:40:05 charon 75651 15[CFG] vici client 1274 registered for: list-sa
Jan 16 14:40:05 charon 75651 15[CFG] vici client 1274 connected
Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> nothing to initiate
Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> activating new tasks
Jan 16 14:40:02 charon 75651 09[ENC] <con1|3> parsed INFORMATIONAL_V1 request 1532146135 [ HASH N(DPD_ACK) ]
Jan 16 14:40:02 charon 75651 09[NET] <con1|3> received packet: from AZURE_WAN_IP[500] to PROVIDER_WAN_IP[500] (92 bytes)
Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> nothing to initiate
Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> activating new tasks
Jan 16 14:40:02 charon 75651 09[NET] <con1|3> sending packet: from PROVIDER_WAN_IP[500] to AZURE_WAN_IP[500] (92 bytes)
Jan 16 14:40:02 charon 75651 09[ENC] <con1|3> generating INFORMATIONAL_V1 request 1473236439 [ HASH N(DPD) ]
Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> activating ISAKMP_DPD task
Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> activating new tasks
Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> queueing ISAKMP_DPD task
Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> sending DPD request
Jan 16 14:40:00 charon 75651 09[CFG] vici client 1273 disconnected
Jan 16 14:40:00 charon 75651 15[CFG] vici client 1273 requests: list-sas
Jan 16 14:40:00 charon 75651 11[CFG] vici client 1273 registered for: list-sa
Jan 16 14:40:00 charon 75651 11[CFG] vici client 1273 connected
Jan 16 14:39:55 charon 75651 15[CFG] vici client 1272 disconnected
Jan 16 14:39:55 charon 75651 11[CFG] vici client 1272 requests: list-sas
Jan 16 14:39:55 charon 75651 08[CFG] vici client 1272 registered for: list-sa
Jan 16 14:39:55 charon 75651 11[CFG] vici client 1272 connected
Jan 16 14:39:52 charon 75651 08[IKE] <con1|3> nothing to initiate
Jan 16 14:39:52 charon 75651 08[IKE] <con1|3> activating new tasks
Jan 16 14:39:52 charon 75651 08[NET] <con1|3> sending packet: from PROVIDER_WAN_IP[500] to AZURE_WAN_IP[500] (92 bytes)
Jan 16 14:39:52 charon 75651 08[ENC] <con1|3> generating INFORMATIONAL_V1 request 316903062 [ HASH N(DPD_ACK) ]
Jan 16 14:39:52 charon 75651 08[IKE] <con1|3> activating ISAKMP_DPD task
Jan 16 14:39:52 charon 75651 08[IKE] <con1|3> activating new tasks
Jan 16 14:39:52 charon 75651 08[IKE] <con1|3> queueing ISAKMP_DPD task
Jan 16 14:39:52 charon 75651 08[ENC] <con1|3> parsed INFORMATIONAL_V1 request 2810856974 [ HASH N(DPD) ]
Jan 16 14:39:52 charon 75651 08[NET] <con1|3> received packet: from AZURE_WAN_IP[500] to PROVIDER_WAN_IP[500] (92 bytes)
Jan 16 14:39:50 charon 75651 08[CFG] vici client 1271 disconnected
Jan 16 14:39:50 charon 75651 16[CFG] vici client 1271 requests: list-sas
Jan 16 14:39:50 charon 75651 16[CFG] vici client 1271 registered for: list-sa
Jan 16 14:39:50 charon 75651 16[CFG] vici client 1271 connected
Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> nothing to initiate
Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> activating new tasks
Jan 16 14:39:48 charon 75651 11[ENC] <con1|3> parsed INFORMATIONAL_V1 request 1390613614 [ HASH N(DPD_ACK) ]
Jan 16 14:39:48 charon 75651 11[NET] <con1|3> received packet: from AZURE_WAN_IP[500] to PROVIDER_WAN_IP[500] (92 bytes)
Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> nothing to initiate
Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> activating new tasks
Jan 16 14:39:48 charon 75651 11[NET] <con1|3> sending packet: from PROVIDER_WAN_IP[500] to AZURE_WAN_IP[500] (92 bytes)
Jan 16 14:39:48 charon 75651 11[ENC] <con1|3> generating INFORMATIONAL_V1 request 2462119987 [ HASH N(DPD) ]
Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> activating ISAKMP_DPD task
Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> activating new tasks
Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> queueing ISAKMP_DPD task
Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> sending DPD request
Jan 16 14:39:45 charon 75651 11[CFG] vici client 1270 disconnected
Jan 16 14:39:45 charon 75651 16[CFG] vici client 1270 requests: list-sas
Jan 16 14:39:45 charon 75651 06[CFG] vici client 1270 registered for: list-sa
Jan 16 14:39:45 charon 75651 06[CFG] vici client 1270 connected
Jan 16 14:39:39 charon 75651 06[CFG] vici client 1269 disconnected
Jan 16 14:39:39 charon 75651 16[CFG] vici client 1269 requests: list-sas
Jan 16 14:39:39 charon 75651 10[CFG] vici client 1269 registered for: list-sa
Jan 16 14:39:39 charon 75651 10[CFG] vici client 1269 connected -
@Matt_Sharpe said in IPSec DNAT not working:
Jan 16 14:40:07 charon 75651 12[CFG] remote_ts = 172.16.200.0/24|/0
Jan 16 14:40:07 charon 75651 12[CFG] local_ts = 172.16.200.0/24|/0Did you replace one of these wrongly?
Remote and local network cannot be the same.