IPSec между dlink dfl-860e и StrongSwan в pfSense 2.2



  • Началось все с перехода на новую версию pfsense 2.2. В старой версии 2.1 был racoon и стабильно работал. В pfSense 2.2 установлен StrongSwan, тунель подвисает через n-часов работы.
    На шлюзах белые IP одного провайдера в разных частях города, получаются по PPPoE. Reauth ipsec проходит нормально каждые 7 часов, наблюдал в течении дня.
    Пробовал различные варианты шифрования. Все равно прихожу на следующий день - статус IPSec - Disconected. Отключаю службу ipsec на минуту и стартую - работает в течении рабочего дня.
    Что можно сделать, чтоб не отваливался тунель?

    вот лог :

    в  07:49:24 нажал connect тунеля

    в  08:02:26 сделал рестарт службы

    Feb 19 08:03:59	charon: 13[NET] sending packet: from (IP pfSense) XX.XX.XX.XX[500] to (IP DFL-860E) XX.XX.XX.XX[500] (92 bytes)
    Feb 19 08:03:59	charon: 13[ENC] generating INFORMATIONAL_V1 request 897668763 [ HASH N(DPD_ACK) ]
    Feb 19 08:03:59	charon: 13[ENC] parsed INFORMATIONAL_V1 request 3123146777 [ HASH N(DPD) ]
    Feb 19 08:03:59	charon: 13[NET] received packet: from (IP DFL-860E) XX.XX.XX.XX[500] to (IP pfSense) XX.XX.XX.XX[500] (92 bytes)
    Feb 19 08:03:29	charon: 11[NET] sending packet: from (IP pfSense) XX.XX.XX.XX[500] to (IP DFL-860E) XX.XX.XX.XX[500] (92 bytes)
    Feb 19 08:03:29	charon: 11[ENC] generating INFORMATIONAL_V1 request 3676726118 [ HASH N(DPD_ACK) ]
    Feb 19 08:03:29	charon: 11[ENC] parsed INFORMATIONAL_V1 request 4025495893 [ HASH N(DPD) ]
    Feb 19 08:03:29	charon: 11[NET] received packet: from (IP DFL-860E) XX.XX.XX.XX[500] to (IP pfSense) XX.XX.XX.XX[500] (92 bytes)
    Feb 19 08:02:48	charon: 10[NET] sending packet: from (IP pfSense) XX.XX.XX.XX[500] to (IP DFL-860E) XX.XX.XX.XX[500] (60 bytes)
    Feb 19 08:02:48	charon: 10[ENC] generating QUICK_MODE request 1402268389 [ HASH ]
    Feb 19 08:02:48	charon: 10[IKE] CHILD_SA con1000{1} established with SPIs c0cd1952_i 9e69bc78_o and TS 192.168.2.0/24|/0 === 192.168.31.0/24|/0
    Feb 19 08:02:48	charon: 10[IKE] <con1000|2> CHILD_SA con1000{1} established with SPIs c0cd1952_i 9e69bc78_o and TS 192.168.2.0/24|/0 === 192.168.31.0/24|/0
    Feb 19 08:02:48	charon: 10[ENC] parsed QUICK_MODE response 1402268389 [ HASH SA No KE ID ID ]
    Feb 19 08:02:48	charon: 10[NET] received packet: from (IP DFL-860E) XX.XX.XX.XX[500] to (IP pfSense) XX.XX.XX.XX[500] (268 bytes)
    Feb 19 08:02:48	charon: 10[NET] sending packet: from (IP pfSense) XX.XX.XX.XX[500] to (IP DFL-860E) XX.XX.XX.XX[500] (284 bytes)
    Feb 19 08:02:48	charon: 10[ENC] generating QUICK_MODE request 1402268389 [ HASH SA No KE ID ID ]
    Feb 19 08:02:48	charon: 10[IKE] maximum IKE_SA lifetime 28599s
    Feb 19 08:02:48	charon: 10[IKE] <con1000|2> maximum IKE_SA lifetime 28599s
    Feb 19 08:02:48	charon: 10[IKE] scheduling reauthentication in 28059s
    Feb 19 08:02:48	charon: 10[IKE] <con1000|2> scheduling reauthentication in 28059s
    Feb 19 08:02:48	charon: 10[IKE] IKE_SA con1000[2] established between (IP pfSense) XX.XX.XX.XX[(IP pfSense) XX.XX.XX.XX]...(IP DFL-860E) XX.XX.XX.XX[(IP DFL-860E) XX.XX.XX.XX]
    Feb 19 08:02:48	charon: 10[IKE] <con1000|2> IKE_SA con1000[2] established between (IP pfSense) XX.XX.XX.XX[(IP pfSense) XX.XX.XX.XX]...(IP DFL-860E) XX.XX.XX.XX[(IP DFL-860E) XX.XX.XX.XX]
    Feb 19 08:02:48	charon: 10[ENC] parsed ID_PROT response 0 [ ID HASH ]
    Feb 19 08:02:48	charon: 10[NET] received packet: from (IP DFL-860E) XX.XX.XX.XX[500] to (IP pfSense) XX.XX.XX.XX[500] (60 bytes)
    Feb 19 08:02:48	charon: 10[NET] sending packet: from (IP pfSense) XX.XX.XX.XX[500] to (IP DFL-860E) XX.XX.XX.XX[500] (76 bytes)
    Feb 19 08:02:48	charon: 10[ENC] generating ID_PROT request 0 [ ID HASH ]
    Feb 19 08:02:48	charon: 10[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Feb 19 08:02:48	charon: 10[NET] received packet: from (IP DFL-860E) XX.XX.XX.XX[500] to (IP pfSense) XX.XX.XX.XX[500] (188 bytes)
    Feb 19 08:02:48	charon: 10[NET] sending packet: from (IP pfSense) XX.XX.XX.XX[500] to (IP DFL-860E) XX.XX.XX.XX[500] (204 bytes)
    Feb 19 08:02:48	charon: 10[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Feb 19 08:02:48	charon: 10[ENC] received unknown vendor ID: 12:f5:f2:8c:45:71:68:a9:70:2d:9f:e2:74:cc
    Feb 19 08:02:48	charon: 10[IKE] received DPD vendor ID
    Feb 19 08:02:48	charon: 10[IKE] <con1000|2> received DPD vendor ID
    Feb 19 08:02:48	charon: 10[IKE] received XAuth vendor ID
    Feb 19 08:02:48	charon: 10[IKE] <con1000|2> received XAuth vendor ID
    Feb 19 08:02:48	charon: 10[IKE] received NAT-T (RFC 3947) vendor ID
    Feb 19 08:02:48	charon: 10[IKE] <con1000|2> received NAT-T (RFC 3947) vendor ID
    Feb 19 08:02:48	charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 19 08:02:48	charon: 10[IKE] <con1000|2> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 19 08:02:48	charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 19 08:02:48	charon: 10[IKE] <con1000|2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 19 08:02:48	charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Feb 19 08:02:48	charon: 10[IKE] <con1000|2> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Feb 19 08:02:48	charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Feb 19 08:02:48	charon: 10[IKE] <con1000|2> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Feb 19 08:02:48	charon: 10[IKE] received draft-stenberg-ipsec-nat-traversal-02 vendor ID
    Feb 19 08:02:48	charon: 10[IKE] <con1000|2> received draft-stenberg-ipsec-nat-traversal-02 vendor ID
    Feb 19 08:02:48	charon: 10[IKE] received draft-stenberg-ipsec-nat-traversal-01 vendor ID
    Feb 19 08:02:48	charon: 10[IKE] <con1000|2> received draft-stenberg-ipsec-nat-traversal-01 vendor ID
    Feb 19 08:02:48	charon: 10[ENC] received unknown vendor ID: 8f:9c:c9:4e:01:24:8e:cd:f1:47:59:4c:28:4b:21:3b
    Feb 19 08:02:48	charon: 10[ENC] parsed ID_PROT response 0 [ SA V V V V V V V V V V V ]
    Feb 19 08:02:48	charon: 10[NET] received packet: from (IP DFL-860E) XX.XX.XX.XX[500] to (IP pfSense) XX.XX.XX.XX[500] (294 bytes)
    Feb 19 08:02:48	charon: 12[NET] sending packet: from (IP pfSense) XX.XX.XX.XX[500] to (IP DFL-860E) XX.XX.XX.XX[500] (200 bytes)
    Feb 19 08:02:48	charon: 12[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
    Feb 19 08:02:48	charon: 12[IKE] initiating Main Mode IKE_SA con1000[2] to (IP DFL-860E) XX.XX.XX.XX
    Feb 19 08:02:48	charon: 12[IKE] <con1000|2> initiating Main Mode IKE_SA con1000[2] to (IP DFL-860E) XX.XX.XX.XX
    Feb 19 08:02:48	charon: 13[CFG] received stroke: initiate 'con1000'
    Feb 19 08:02:48	charon: 13[NET] sending packet: from (IP pfSense) XX.XX.XX.XX[500] to (IP DFL-860E) XX.XX.XX.XX[500] (92 bytes)
    Feb 19 08:02:48	charon: 13[ENC] generating INFORMATIONAL_V1 request 2256457257 [ HASH D ]
    Feb 19 08:02:48	charon: 13[IKE] sending DELETE for IKE_SA con1000[1]
    Feb 19 08:02:48	charon: 13[IKE] <con1000|1> sending DELETE for IKE_SA con1000[1]
    Feb 19 08:02:48	charon: 13[IKE] deleting IKE_SA con1000[1] between (IP pfSense) XX.XX.XX.XX[(IP pfSense) XX.XX.XX.XX]...(IP DFL-860E) XX.XX.XX.XX[(IP DFL-860E) XX.XX.XX.XX]
    Feb 19 08:02:48	charon: 13[IKE] <con1000|1> deleting IKE_SA con1000[1] between (IP pfSense) XX.XX.XX.XX[(IP pfSense) XX.XX.XX.XX]...(IP DFL-860E) XX.XX.XX.XX[(IP DFL-860E) XX.XX.XX.XX]
    Feb 19 08:02:48	charon: 13[NET] sending packet: from (IP pfSense) XX.XX.XX.XX[500] to (IP DFL-860E) XX.XX.XX.XX[500] (76 bytes)
    Feb 19 08:02:48	charon: 13[ENC] generating INFORMATIONAL_V1 request 984300203 [ HASH D ]
    Feb 19 08:02:48	charon: 13[IKE] sending DELETE for ESP CHILD_SA with SPI cf629bd6
    Feb 19 08:02:48	charon: 13[IKE] <con1000|1> sending DELETE for ESP CHILD_SA with SPI cf629bd6
    Feb 19 08:02:48	charon: 13[IKE] closing CHILD_SA con1000{1} with SPIs cf629bd6_i (0 bytes) 2e302337_o (0 bytes) and TS 192.168.2.0/24|/0 === 192.168.31.0/24|/0
    Feb 19 08:02:48	charon: 13[IKE] <con1000|1> closing CHILD_SA con1000{1} with SPIs cf629bd6_i (0 bytes) 2e302337_o (0 bytes) and TS 192.168.2.0/24|/0 === 192.168.31.0/24|/0
    Feb 19 08:02:48	charon: 15[CFG] received stroke: terminate 'con1000'
    Feb 19 08:02:46	charon: 15[IKE] CHILD_SA con1000{1} established with SPIs cf629bd6_i 2e302337_o and TS 192.168.2.0/24|/0 === 192.168.31.0/24|/0
    Feb 19 08:02:46	charon: 15[IKE] <con1000|1> CHILD_SA con1000{1} established with SPIs cf629bd6_i 2e302337_o and TS 192.168.2.0/24|/0 === 192.168.31.0/24|/0
    Feb 19 08:02:46	charon: 15[ENC] parsed QUICK_MODE request 828592377 [ HASH ]
    Feb 19 08:02:46	charon: 15[NET] received packet: from (IP DFL-860E) XX.XX.XX.XX[500] to (IP pfSense) XX.XX.XX.XX[500] (60 bytes)
    Feb 19 08:02:46	charon: 15[NET] sending packet: from (IP pfSense) XX.XX.XX.XX[500] to (IP DFL-860E) XX.XX.XX.XX[500] (284 bytes)
    Feb 19 08:02:46	charon: 15[ENC] generating QUICK_MODE response 828592377 [ HASH SA No KE ID ID ]
    Feb 19 08:02:46	charon: 15[ENC] parsed QUICK_MODE request 828592377 [ HASH SA No KE ID ID ]
    Feb 19 08:02:46	charon: 15[NET] received packet: from (IP DFL-860E) XX.XX.XX.XX[500] to (IP pfSense) XX.XX.XX.XX[500] (268 bytes)
    Feb 19 08:02:46	charon: 13[NET] sending packet: from (IP pfSense) XX.XX.XX.XX[500] to (IP DFL-860E) XX.XX.XX.XX[500] (76 bytes)
    Feb 19 08:02:46	charon: 13[ENC] generating ID_PROT response 0 [ ID HASH ]
    Feb 19 08:02:46	charon: 13[IKE] maximum IKE_SA lifetime 28715s
    Feb 19 08:02:46	charon: 13[IKE] <con1000|1> maximum IKE_SA lifetime 28715s
    Feb 19 08:02:46	charon: 13[IKE] scheduling reauthentication in 28175s
    Feb 19 08:02:46	charon: 13[IKE] <con1000|1> scheduling reauthentication in 28175s
    Feb 19 08:02:46	charon: 13[IKE] IKE_SA con1000[1] established between (IP pfSense) XX.XX.XX.XX[(IP pfSense) XX.XX.XX.XX]...(IP DFL-860E) XX.XX.XX.XX[(IP DFL-860E) XX.XX.XX.XX]
    Feb 19 08:02:46	charon: 13[IKE] <con1000|1> IKE_SA con1000[1] established between (IP pfSense) XX.XX.XX.XX[(IP pfSense) XX.XX.XX.XX]...(IP DFL-860E) XX.XX.XX.XX[(IP DFL-860E) XX.XX.XX.XX]
    Feb 19 08:02:46	charon: 13[CFG] selected peer config "con1000"
    Feb 19 08:02:46	charon: 13[CFG] looking for pre-shared key peer configs matching (IP pfSense) XX.XX.XX.XX...(IP DFL-860E) XX.XX.XX.XX[(IP DFL-860E) XX.XX.XX.XX]
    Feb 19 08:02:46	charon: 13[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    Feb 19 08:02:46	charon: 13[NET] received packet: from (IP DFL-860E) XX.XX.XX.XX[500] to (IP pfSense) XX.XX.XX.XX[500] (76 bytes)
    Feb 19 08:02:46	charon: 13[NET] sending packet: from (IP pfSense) XX.XX.XX.XX[500] to (IP DFL-860E) XX.XX.XX.XX[500] (204 bytes)
    Feb 19 08:02:46	charon: 13[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Feb 19 08:02:46	charon: 13[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Feb 19 08:02:46	charon: 13[NET] received packet: from (IP DFL-860E) XX.XX.XX.XX[500] to (IP pfSense) XX.XX.XX.XX[500] (188 bytes)
    Feb 19 08:02:46	charon: 13[NET] sending packet: from (IP pfSense) XX.XX.XX.XX[500] to (IP DFL-860E) XX.XX.XX.XX[500] (156 bytes)
    Feb 19 08:02:46	charon: 13[ENC] generating ID_PROT response 0 [ SA V V V V ]
    Feb 19 08:02:46	charon: 13[IKE] (IP DFL-860E) XX.XX.XX.XX is initiating a Main Mode IKE_SA
    Feb 19 08:02:46	charon: 13[IKE] <1> (IP DFL-860E) XX.XX.XX.XX is initiating a Main Mode IKE_SA
    Feb 19 08:02:46	charon: 13[IKE] received DPD vendor ID
    Feb 19 08:02:46	charon: 13[IKE] <1> received DPD vendor ID
    Feb 19 08:02:46	charon: 13[IKE] received NAT-T (RFC 3947) vendor ID
    Feb 19 08:02:46	charon: 13[IKE] <1> received NAT-T (RFC 3947) vendor ID
    Feb 19 08:02:46	charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 19 08:02:46	charon: 13[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 19 08:02:46	charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 19 08:02:46	charon: 13[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 19 08:02:46	charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Feb 19 08:02:46	charon: 13[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Feb 19 08:02:46	charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Feb 19 08:02:46	charon: 13[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Feb 19 08:02:46	charon: 13[IKE] received draft-stenberg-ipsec-nat-traversal-02 vendor ID
    Feb 19 08:02:46	charon: 13[IKE] <1> received draft-stenberg-ipsec-nat-traversal-02 vendor ID
    Feb 19 08:02:46	charon: 13[IKE] received draft-stenberg-ipsec-nat-traversal-01 vendor ID
    Feb 19 08:02:46	charon: 13[IKE] <1> received draft-stenberg-ipsec-nat-traversal-01 vendor ID
    Feb 19 08:02:46	charon: 13[ENC] received unknown vendor ID: 8f:9c:c9:4e:01:24:8e:cd:f1:47:59:4c:28:4b:21:3b
    Feb 19 08:02:46	charon: 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V ]
    Feb 19 08:02:46	charon: 13[NET] received packet: from (IP DFL-860E) XX.XX.XX.XX[500] to (IP pfSense) XX.XX.XX.XX[500] (264 bytes)
    Feb 19 08:02:26	ipsec_starter[64483]:
    Feb 19 08:02:26	ipsec_starter[64483]: 'con1000' routed
    Feb 19 08:02:26	charon: 15[CFG] received stroke: route 'con1000'
    Feb 19 08:02:26	charon: 14[CFG] added configuration 'con1000'
    Feb 19 08:02:26	charon: 14[CFG] received stroke: add connection 'con1000'
    Feb 19 08:02:26	ipsec_starter[64483]: charon (64678) started after 120 ms
    Feb 19 08:02:26	charon: 00[JOB] spawning 16 worker threads
    Feb 19 08:02:26	charon: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies)
    Feb 19 08:02:26	charon: 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity
    Feb 19 08:02:26	charon: 00[CFG] loaded 0 RADIUS server configurations
    Feb 19 08:02:26	charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory
    Feb 19 08:02:26	charon: 00[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 08:02:26	charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 08:02:26	charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 08:02:26	charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 08:02:26	charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 08:02:26	charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 08:02:26	charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 08:02:26	charon: 00[CFG] ipseckey plugin is disabled
    Feb 19 08:02:26	charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
    Feb 19 08:02:26	charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
    Feb 19 08:02:26	charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, FreeBSD 10.1-RELEASE-p4, i386)
    Feb 19 08:02:26	ipsec_starter[64035]: no known IPsec stack detected, ignoring!
    Feb 19 08:02:26	ipsec_starter[64035]: no KLIPS IPsec stack detected
    Feb 19 08:02:26	ipsec_starter[64035]: no netkey IPsec stack detected
    Feb 19 08:02:26	ipsec_starter[64035]: Starting strongSwan 5.2.1 IPsec [starter]...
    Feb 19 07:58:56	ipsec_starter[37946]: ipsec starter stopped
    Feb 19 07:58:56	ipsec_starter[37946]: charon stopped after 200 ms
    Feb 19 07:58:56	charon: 00[IKE] destroying IKE_SA in state CONNECTING without notification
    Feb 19 07:58:56	charon: 00[IKE] <con1000|5> destroying IKE_SA in state CONNECTING without notification
    Feb 19 07:58:56	charon: 00[DMN] signal of type SIGINT received. Shutting down
    Feb 19 07:58:46	charon: 15[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 07:58:46	charon: 15[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 07:58:46	charon: 15[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 07:58:46	charon: 15[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 07:58:46	charon: 15[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 07:58:46	charon: 15[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 07:58:46	charon: 15[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 07:58:46	charon: 15[CFG] rereading secrets
    Feb 19 07:58:30	charon: 04[NET] sending packet: from (IP pfSense) XX.XX.XX.XX[500] to (IP DFL-860E) XX.XX.XX.XX[500] (200 bytes)
    Feb 19 07:58:30	charon: 04[IKE] sending retransmit 5 of request message ID 0, seq 1
    Feb 19 07:58:30	charon: 04[IKE] <con1000|5> sending retransmit 5 of request message ID 0, seq 1
    Feb 19 07:57:52	charon: 04[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 07:57:52	charon: 04[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 07:57:52	charon: 04[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 07:57:52	charon: 04[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 07:57:52	charon: 04[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 07:57:52	charon: 04[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 07:57:52	charon: 04[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 07:57:52	charon: 04[CFG] rereading secrets
    Feb 19 07:57:48	charon: 15[NET] sending packet: from (IP pfSense) XX.XX.XX.XX[500] to (IP DFL-860E) XX.XX.XX.XX[500] (200 bytes)
    Feb 19 07:57:48	charon: 15[IKE] sending retransmit 4 of request message ID 0, seq 1
    Feb 19 07:57:48	charon: 15[IKE] <con1000|5> sending retransmit 4 of request message ID 0, seq 1
    Feb 19 07:57:25	charon: 15[NET] sending packet: from (IP pfSense) XX.XX.XX.XX[500] to (IP DFL-860E) XX.XX.XX.XX[500] (200 bytes)
    Feb 19 07:57:25	charon: 15[IKE] sending retransmit 3 of request message ID 0, seq 1
    Feb 19 07:57:25	charon: 15[IKE] <con1000|5> sending retransmit 3 of request message ID 0, seq 1
    Feb 19 07:57:12	charon: 15[NET] sending packet: from (IP pfSense) XX.XX.XX.XX[500] to (IP DFL-860E) XX.XX.XX.XX[500] (200 bytes)
    Feb 19 07:57:12	charon: 15[IKE] sending retransmit 2 of request message ID 0, seq 1
    Feb 19 07:57:12	charon: 15[IKE] <con1000|5> sending retransmit 2 of request message ID 0, seq 1
    Feb 19 07:57:04	charon: 15[NET] sending packet: from (IP pfSense) XX.XX.XX.XX[500] to (IP DFL-860E) XX.XX.XX.XX[500] (200 bytes)
    Feb 19 07:57:04	charon: 15[IKE] sending retransmit 1 of request message ID 0, seq 1
    Feb 19 07:57:04	charon: 15[IKE] <con1000|5> sending retransmit 1 of request message ID 0, seq 1
    Feb 19 07:57:00	charon: 15[NET] sending packet: from (IP pfSense) XX.XX.XX.XX[500] to (IP DFL-860E) XX.XX.XX.XX[500] (200 bytes)
    Feb 19 07:57:00	charon: 15[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
    Feb 19 07:57:00	charon: 15[IKE] initiating Main Mode IKE_SA con1000[5] to (IP DFL-860E) XX.XX.XX.XX
    Feb 19 07:57:00	charon: 15[IKE] <con1000|5> initiating Main Mode IKE_SA con1000[5] to (IP DFL-860E) XX.XX.XX.XX
    Feb 19 07:57:00	charon: 16[CFG] received stroke: initiate 'con1000'
    Feb 19 07:57:00	charon: 13[CFG] no IKE_SA named 'con1000' found
    Feb 19 07:57:00	charon: 13[CFG] received stroke: terminate 'con1000'
    Feb 19 07:56:09	charon: 16[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 07:56:09	charon: 16[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 07:56:09	charon: 16[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 07:56:09	charon: 16[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 07:56:09	charon: 16[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 07:56:09	charon: 16[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 07:56:09	charon: 16[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 07:56:09	charon: 16[CFG] rereading secrets
    Feb 19 07:55:21	charon: 13[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 07:55:21	charon: 13[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 07:55:21	charon: 13[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 07:55:21	charon: 13[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 07:55:21	charon: 13[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 07:55:21	charon: 13[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 07:55:21	charon: 13[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 07:55:21	charon: 13[CFG] rereading secrets
    Feb 19 07:50:10	charon: 16[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 07:50:10	charon: 16[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 07:50:10	charon: 16[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 07:50:10	charon: 16[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 07:50:10	charon: 16[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 07:50:10	charon: 16[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 07:50:10	charon: 16[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 07:50:10	charon: 16[CFG] rereading secrets
    Feb 19 07:49:24	charon: 13[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 07:49:24	charon: 13[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 07:49:24	charon: 13[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 07:49:24	charon: 13[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 07:49:24	charon: 13[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 07:49:24	charon: 13[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 07:49:24	charon: 13[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 07:49:24	charon: 13[CFG] rereading secrets
    Feb 19 07:26:14	charon: 11[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 07:26:14	charon: 11[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 07:26:14	charon: 11[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 07:26:14	charon: 11[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 07:26:14	charon: 11[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 07:26:14	charon: 11[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 07:26:14	charon: 11[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 07:26:14	charon: 11[CFG] rereading secrets
    Feb 19 07:26:04	charon: 16[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 07:26:04	charon: 16[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 07:26:04	charon: 16[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 07:26:04	charon: 16[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 07:26:04	charon: 16[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 07:26:04	charon: 16[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 07:26:04	charon: 16[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 07:26:04	charon: 16[CFG] rereading secrets
    Feb 19 07:25:42	charon: 11[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 07:25:42	charon: 11[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 07:25:42	charon: 11[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 07:25:42	charon: 11[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 07:25:42	charon: 11[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 07:25:42	charon: 11[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 07:25:42	charon: 11[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 07:25:42	charon: 11[CFG] rereading secrets
    Feb 19 07:25:41	charon: 16[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 07:25:41	charon: 16[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 07:25:41	charon: 16[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 07:25:41	charon: 16[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 07:25:41	charon: 16[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 07:25:41	charon: 16[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 07:25:41	charon: 16[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 07:25:41	charon: 16[CFG] rereading secrets
    Feb 19 07:17:06	charon: 11[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 07:17:06	charon: 11[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 07:17:06	charon: 11[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 07:17:06	charon: 11[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 07:17:06	charon: 11[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 07:17:06	charon: 11[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 07:17:06	charon: 11[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 07:17:06	charon: 11[CFG] rereading secrets
    Feb 19 07:16:09	charon: 12[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 07:16:09	charon: 12[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 07:16:09	charon: 12[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 07:16:09	charon: 12[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 07:16:09	charon: 12[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 07:16:09	charon: 12[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 07:16:09	charon: 12[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 07:16:09	charon: 12[CFG] rereading secrets
    Feb 19 07:10:35	charon: 11[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 07:10:35	charon: 11[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 07:10:35	charon: 11[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 07:10:35	charon: 11[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 07:10:35	charon: 11[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 07:10:35	charon: 11[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 07:10:35	charon: 11[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 07:10:35	charon: 11[CFG] rereading secrets
    Feb 19 07:09:44	charon: 12[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 07:09:44	charon: 12[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 07:09:44	charon: 12[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 07:09:44	charon: 12[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 07:09:44	charon: 12[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 07:09:44	charon: 12[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 07:09:44	charon: 12[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 07:09:44	charon: 12[CFG] rereading secrets
    Feb 19 07:08:37	charon: 11[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 07:08:37	charon: 11[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 07:08:37	charon: 11[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 07:08:37	charon: 11[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 07:08:37	charon: 11[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 07:08:37	charon: 11[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 07:08:37	charon: 11[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 07:08:37	charon: 11[CFG] rereading secrets
    Feb 19 07:07:47	charon: 12[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 07:07:47	charon: 12[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 07:07:47	charon: 12[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 07:07:47	charon: 12[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 07:07:47	charon: 12[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 07:07:47	charon: 12[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 07:07:47	charon: 12[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 07:07:47	charon: 12[CFG] rereading secrets
    Feb 19 06:58:30	charon: 07[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 06:58:30	charon: 07[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 06:58:30	charon: 07[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 06:58:30	charon: 07[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 06:58:30	charon: 07[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 06:58:30	charon: 07[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 06:58:30	charon: 07[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 06:58:30	charon: 07[CFG] rereading secrets
    Feb 19 06:57:44	charon: 11[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 06:57:44	charon: 11[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 06:57:44	charon: 11[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 06:57:44	charon: 11[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 06:57:44	charon: 11[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 06:57:44	charon: 11[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 06:57:44	charon: 11[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 06:57:44	charon: 11[CFG] rereading secrets
    Feb 19 06:53:53	charon: 07[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 06:53:53	charon: 07[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 06:53:53	charon: 07[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 06:53:53	charon: 07[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 06:53:53	charon: 07[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 06:53:53	charon: 07[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 06:53:53	charon: 07[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 06:53:53	charon: 07[CFG] rereading secrets
    Feb 19 06:53:10	charon: 11[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 06:53:10	charon: 11[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 06:53:10	charon: 11[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 06:53:10	charon: 11[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 06:53:10	charon: 11[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 06:53:10	charon: 11[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 06:53:10	charon: 11[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 06:53:10	charon: 11[CFG] rereading secrets
    Feb 19 06:50:46	charon: 07[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 06:50:46	charon: 07[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 06:50:46	charon: 07[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 06:50:46	charon: 07[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 06:50:46	charon: 07[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 06:50:46	charon: 07[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 06:50:46	charon: 07[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 06:50:46	charon: 07[CFG] rereading secrets
    Feb 19 06:48:59	charon: 10[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 06:48:59	charon: 10[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 06:48:59	charon: 10[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 06:48:59	charon: 10[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 06:48:59	charon: 10[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 06:48:59	charon: 10[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 06:48:59	charon: 10[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 06:48:59	charon: 10[CFG] rereading secrets
    Feb 19 06:45:20	charon: 11[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 06:45:20	charon: 11[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 06:45:20	charon: 11[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 06:45:20	charon: 11[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 06:45:20	charon: 11[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 06:45:20	charon: 11[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 06:45:20	charon: 11[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 06:45:20	charon: 11[CFG] rereading secrets
    Feb 19 06:44:21	charon: 10[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 06:44:21	charon: 10[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 06:44:21	charon: 10[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb 19 06:44:21	charon: 10[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb 19 06:44:21	charon: 10[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb 19 06:44:21	charon: 10[CFG] loaded IKE secret for %any (IP DFL-860E) XX.XX.XX.XX
    Feb 19 06:44:21	charon: 10[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb 19 06:44:21	charon: 10[CFG] rereading secrets
    Feb 19 06:43:38	charon: 11[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb 19 06:43:38	charon: 11[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb 19 06:43:38	charon: 11[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'</con1000|5></con1000|5></con1000|5></con1000|5></con1000|5></con1000|5></con1000|5></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2>
    ```![01.jpg](/public/_imported_attachments_/1/01.jpg)
    ![02.jpg](/public/_imported_attachments_/1/02.jpg)
    ![01.jpg_thumb](/public/_imported_attachments_/1/01.jpg_thumb)
    ![02.jpg_thumb](/public/_imported_attachments_/1/02.jpg_thumb)


  • Похоже что это проблемы StrongSwan в pfSense 2.2
    https://forum.pfsense.org/index.php?topic=88080.0
    "2.2 is just IPSEC nightmare."



  • на pfsense 2.2 можно racoon поставить, а strongSwan отключить?



  • 1. Обновить прошивку dlink dfl-860e до самой последней.
    2. http://www.dlink.ru/ru/faq/92/927.html

    После применения настроек нажмите кнопку Back, затем кнопку IPSec Proposal.
    Заполните следующие поля в указанном ниже порядке.

    Шаг 1: В поле Proposal Name  укажите ipsec_3des_md5
    Шаг 2: В поле DH Group выберите Group 2
    Шаг 3: В поле Encrypt algorithm укажите 3DES
    Шаг 4: В поле Auth  algorithm укажите MD5
    Шаг 5: В поле Life Time укажите 3600
    Шаг 6: В поле Proposal ID выберите 1.
    Шаг 7: Нажмите кнопку Add to.
    Шаг 8: Нажмите кнопку Apply.

    Пробуйте с такими типами шифрования , авторизации etc. У вас на скринах - другие.



  • @werter:

    1. Обновить прошивку dlink dfl-860e до самой последней.
    2. http://www.dlink.ru/ru/faq/92/927.html

    После применения настроек нажмите кнопку Back, затем кнопку IPSec Proposal.
    Заполните следующие поля в указанном ниже порядке.

    Шаг 1: В поле Proposal Name  укажите ipsec_3des_md5
    Шаг 2: В поле DH Group выберите Group 2
    Шаг 3: В поле Encrypt algorithm укажите 3DES
    Шаг 4: В поле Auth  algorithm укажите MD5
    Шаг 5: В поле Life Time укажите 3600
    Шаг 6: В поле Proposal ID выберите 1.
    Шаг 7: Нажмите кнопку Add to.
    Шаг 8: Нажмите кнопку Apply.

    Пробуйте с такими типами шифрования , авторизации etc. У вас на скринах - другие.

    Прошивка 860 тут не причем, стоит свежее и стабильнее, чем на оффе.

    Для теста настроил такой же тунель на pfSense 2.1 (racoon) - не отваливается (открываю номально web-морды, звоню по VoIP, работаю по RDP).

    На 2.2 запускаю такой же тунель - пинг идет стабильно, стоит только попытаться открыть web-морду pfSense с удаленной тачки за 860м, пинг отрубается, pfSense минуту не открывается, потом все же открывается и показывает crash-рапорт.

    Я накатывал 2.2 автоматическим обновлением, может быть в этом дело и поставить его начисто.




  • сегодня еще улыбнуло, на pfSense 2.2 удалил все IPSec настройки и отключил службу, но он все равно упорно устанавливает соединения с 860, первую фазу  :o  :o  :o
    седня снесу нафик и поставлю чистую 2.1  ;D



  • @zhhh:

    сегодня еще улыбнуло, на pfSense 2.2 удалил все IPSec настройки и отключил службу, но он все равно упорно устанавливает соединения с 860, первую фазу  :o  :o  :o
    седня снесу нафик и поставлю чистую 2.1  ;D

    Попробуйте чистый 2.2



  • @werter:

    Попробуйте чистый 2.2

    Восстановил 2.1, вернулась стабильность  ;D

    Чистую 2.2 я конечно же потестю, но не на рабочих шлюзах. На следующей неделе соберу из старого железа шлюзик, из дома попробую пробросить тунели и к d link 860 и к cisco 1921. О результатах отпишу тут.



  • На следующей неделе соберу из старого железа шлюзик

    "Вы всё ещё кипятите не виртуализированы ? Тогда мы идем к Вам" (с)  ;D



  • свежая pfsense 2.2.2 (strongswan на борту) в связке с dlink dfl 860e
    Phase 1
    Negotiation mode - main
    Encryption algorithm - 3des
    Hash algorithm - md5
    DH key group - 2
    Phase 2
    Protocol - ESP
    Encryption algorithms - 3des
    Hash algorithms - md5
    PFS key group - 2

    моментально устанавливает связь, идут пинги с обоих сторон, стоит попытаться залогиниться на вебморду или ssh pfsense через тунель - pfsense уходит в даун… после ребута выдает crash -рапорт

    Fatal double fault:
    eip = 0xc12b5a90
    esp = 0xdefd5ff4
    ebp = 0xdefd605c
    cpuid = 0; apic id = 00
    panic: double fault
    cpuid = 0
    KDB: enter: panic

    :o :o :o выше я описывал схожие симптомы при обновлении с 2.1
    почему так легко положить pfsense стандартными настройками???





  • @rubic:

    https://forum.pfsense.org/index.php?topic=94929.msg527954#msg527954

    Спасибо, заработало!  :D
    Оказывается у кого стоит версия i386, при обращении к pfsense через ipsec-тунель, чтобы не крашилась система, нужно добавить настройку:
    System->Advanced->System Tunables, жмем "+"
    Tunable - net.inet.ipsec.directdispatch
    Value - 0


Log in to reply