libreswan
libreswan copied to clipboard
libreswan
private#10.8.128.0/17 cannot take effect
My libreswan version: v4.9-587-g6b0b227fc2-main. Linux kernel version: 3.10.0-327 I have a cluster with 6 servers that were keeping continuous communication to each other. Their ip is 10.8.174.132/27,10.8.174.133/27,10.8.174.135/27,10.8.174.130/27,10.8.174.131/27,10.8.174.134/27. I configured the private conn like this:
conn private
type=transport
left=%bond0
right=%opportunisticgroup
#failureshunt=reject
negotiationshunt=hold
phase2=esp
esp=aes_gcm
rekey=no
#keyingtries=1
ikelifetime=8h
salifetime=8h
authby=secret
auto=route
and the /etc/ipsec.d/policies/private file:
10.8.128.0/17
11.121.0.0/16
11.73.0.0/16
11.74.0.0/16
all the above networks are reserved net. When I enabled ipsec on servers one by one,Something strange happened: I couldn't see any policy include 10.8.128.0/17 in XFRM PO.And I check the 10.8.174.132 tmi log:
Jul 10 10:00:37.355233: | adding proposal spds
Jul 10 10:00:37.355238: | 10.8.174.134/32->10.8.128.0/17
○ 10 10:00:37.793385: | **ISAKMP_v2_IKE_SA_INIT message received on 10.8.174.134:500 but no connection has been authorized with policy RSASIG_v1_5**
Jul 10 10:00:37.793390: | ikev2_find_host_connection() 10.8.174.131->10.8.174.134 remote_authby=PSK
Jul 10 10:00:37.793396: | FOR_EACH_HOST_PAIR_CONNECTION(10.8.174.131->10.8.174.134) in (ikev2_find_host_connection() +126 programs/pluto/ikev2_host_pair.c)
Jul 10 10:00:37.793400: | FOR_EACH_HOST_PAIR_CONNECTION(<unset-address>->10.8.174.134) in (ikev2_find_host_connection() +172 programs/pluto/ikev2_host_pair.c)
10:00:38.004328: | kernel: raw_policy() result=success
Jul 10 10:00:38.004332: | priority calculation of is 2801856 (0x2ac0c0) base=2 portsw=2 protow=1, srcw=96 dstw=96 instw=0
Jul 10 10:00:38.004343: | kernel: raw_policy() ADD+INBOUND REPORT_NO_INBOUND install_bare_spd_kernel_policy() prospective kernel_policy (install_prospective_kernel_policies() +455 programs/pluto/kernel.c) client=1
0.8.174.137/32->10.8.174.134/32 policy=0.0.0.0=>0.0.0.0,SHUNT_TRAP,,priority=2801856,TRANSPORT[ESP!0(ALL)] lifetime=0s sa_marks=out:0/0,in:0/0 xfrm_if_id=-1 sec_label= (install_prospective_kernel_policies() +455 p
rograms/pluto/kernel.c)
Jul 10 10:00:38.004348: | kernel: raw_policy() SPI_TRAP add|delete inbound implemented as no-op
Jul 10 10:00:38.004351: | kernel: install_prospective_kernel_policy() running updown-prepare when needed
Jul 10 10:00:38.004355: | kernel: running updown command "ipsec _updown" for verb prepare
Jul 10 10:00:38.004358: | kernel: command executing prepare-host
10 10:00:38.004395: | executing prepare-host: 2>&1 PLUTO_VERB='prepare-host' PLUTO_CONNECTION='private#10.8.128.0/17' PLUTO_CONNECTION_TYPE='transport' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='bond0' PLUTO
_XFRMI_ROUTE='' PLUTO_NEXT_HOP='10.8.174.137' PLUTO_ME='10.8.174.134' PLUTO_MY_ID='10.8.174.134' PLUTO_CLIENT_FAMILY='ipv4' PLUTO_MY_CLIENT='10.8.174.134/32' PLUTO_MY_CLIENT_NET='10.8.174.134' PLUTO_MY_CLIENT_MASK
='255.255.255.255' PLUTO_MY_PORT=0 PLUTO_MY_PROTOCOL=0 PLUTO_SA_REQID=16496 PLUTO_SA_TYPE='none' PLUTO_PEER='10.8.174.137' PLUTO_PEER_ID='10.8.174.137' PLUTO_PEER_CLIENT='10.8.174.137/32' PLUTO_PEER_CLIENT_NET='10
.8.174.137' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT=0 PLUTO_PEER_PROTOCOL=0 PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME=0 PLUTO_CONN_POLICY='IKEv2+PSK+ENCRYPT+PFS+DONT_REKEY+OPPORTUNISTIC+GR
OUPINSTANCE+IKE_FRAG_ALLOW+ESN_NO+ESN_YES' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO=0 PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO...
○ 10 10:00:38.042528: | FOR_EACH_SPD_ROUTE[remote_client_range=10.8.174.137/32]... in (get_connection_spd_conflict() +1112 programs/pluto/kernel.c)
Jul 10 10:00:38.042536: | found "private#10.8.128.0/17"[2] ...10.8.174.137 10.8.174.134/32->10.8.174.137/32
Jul 10 10:00:38.042540: | skipping route private#10.8.128.0/17; same spd
Jul 10 10:00:38.042543: | matches: 1
Jul 10 10:00:38.042549: | kernel: get_connection_spd_conflict looking for 10.8.174.134/32->10.8.174.137/32
Jul 10 10:00:38.042558: | kernel: get_connection_spd_conflict() 10.8.174.134/32->10.8.174.137/32; wip.conflicting_route <none> wip.conflicting_shunt=<none>
It seems that the pluto receives an IKE request exactly from a matching address during pluto loading the opportunistic ip, pluto will uses conn policy with a more precise address and skip the broader IP range configured in opportunistic group file. As a result, the outgoing packet sent to the new ip address does not match a XFRM PO about 10.8.128.0/17 and fails to acquire. Therefore, the communication fails.
I tried to disable udp ports 500,4500 by iptables filter INPUT rule before starting libreswan to prevent pluto from receiving IKE requests when it loads the PO. My commands looks like this:
sudo iptables -I INPUT 1 -p udp -m multiport --dport 500,4500 -j DROP
sudo ipsec start
sleep 1
sudo iptables -D INPUT -p udp -m multiport --dport 500,4500 -j DROP
Stranger and trickier problems arise: The private#10.8.128.0/17 rule appears in XFRM PO, which is a good thing, but established SA and PO are messy——In 10.8.174.132, the connection sa with 10.8.174.134 look like this:
src 10.8.174.132 dst **10.8.174.134**
proto esp spi 0x00000000 reqid 0 mode transport
replay-window 0
sel src 10.8.174.132/32 dst 10.8.174.134/32 proto tcp sport 10280 dport 43788 dev bond0
src **10.8.174.134** dst 10.8.174.132
proto esp spi 0x13a2e45f reqid 16497 mode transport
replay-window 0 flag esn
aead rfc4106(gcm(aes)) 0xe7cff1f5e48073f32df7b87a82024d9aeb493d8e 128
anti-replay esn context:
seq-hi 0x0, seq 0x12661, oseq-hi 0x0, oseq 0x0
replay_window 128, bitmap-length 4
ffffffff ffffffff ffffffff ffffffff
sel src 10.8.174.134/32 dst 10.8.174.132/32
src 10.8.174.132 dst **10.8.174.134**
proto esp spi 0x9db67280 reqid 16497 mode transport
replay-window 0 flag esn
aead rfc4106(gcm(aes)) 0xe619f2a815e67d998d901d22a36518b74485f956 128
anti-replay esn context:
seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x172
replay_window 128, bitmap-length 4
00000000 00000000 00000000 00000000
sel src 10.8.174.132/32 dst 10.8.174.134/32
and There's only one PO in half the direction:
src 10.8.174.134/32 dst 10.8.174.132/32
dir in priority 2801856 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16497 mode transport
This can be seen from the network connection status (using netstat):
tcp 0 0 0.0.0.0:10280 0.0.0.0:* LISTEN 46564/pangu_chunkse
tcp 0 0 10.8.174.132:10280 10.8.174.134:48044 SYN_RECV -
tcp 0 0 10.8.174.132:10280 10.8.174.135:54571 SYN_RECV -
tcp 0 0 10.8.174.132:10280 10.8.174.135:54539 SYN_RECV -
tcp 0 0 10.8.174.132:10280 10.8.174.134:48059 SYN_RECV -
tcp 0 0 10.8.174.132:10280 10.8.174.135:54748 SYN_RECV -
tcp 0 0 10.8.174.132:10280 10.8.174.134:48140 SYN_RECV -
tcp 0 0 10.8.174.132:10280 10.8.174.135:54737 SYN_RECV -
tcp 0 0 10.8.174.132:10280 10.8.174.134:48117 SYN_RECV -
tcp 0 0 10.8.174.132:10280 10.8.174.134:48079 SYN_RECV -
Only inbound packets can be received. The log looks like this:
Jul 10 16:37:07.399865: "private#10.8.128.0/17"[1] ...10.8.174.134 #1: STATE_V2_PARENT_I1: retransmission; will wait 8 seconds for response
Jul 10 16:37:12.398591: "private#10.8.128.0/17"[1] ...10.8.174.134 #22: received duplicate IKE_SA_INIT message request (Message ID 0); retransmitting response
Jul 10 16:37:12.401269: "private#10.8.128.0/17"[1] ...10.8.174.134 #22: processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr,N(USE_TRANSPORT_MODE)}Jul 10 16:37:12.401376: "private#10.8.128.0/17"[1] ...10.8.174.134 #22: responder established IKE SA; authenticated peer using authby=secret and ID_IPV4_ADDR '10.8.174.13
4'
Jul 10 16:37:12.401695: | kernel: get_ipsec_spi() 10.8.174.134-ESP->10.8.174.132 reqid=4071 [1000,ffffffff] for SPI ...
Jul 10 16:37:12.445914: "private#10.8.128.0/17"[1] ...10.8.174.134 #23: responder established Child SA using #22; IPsec transport [10.8.174.132-10.8.174.132:0-65535 0] ->
[10.8.174.134-10.8.174.134:0-65535 0] {ESP/ESN=>0x9db67280 <0x13a2e45f xfrm=AES_GCM_16_128-NONE DPD=passive}
Jul 10 16:37:15.402983: "private#10.8.128.0/17"[1] ...10.8.174.134 #1: suppressing retransmit because IKE SA was superseded #22 try=1; drop this negotiationJul 10 16:37:15.402992: "private#10.8.128.0/17"[1] ...10.8.174.134 #1: deleting state (STATE_V2_PARENT_I1) aged 16.016138s and NOT sending notification
Jul 10 16:39:18.660590: ignoring found existing connection instance "private#10.8.128.0/17"[1] ...10.8.174.134 that covers kernel acquire with IKE state #22 and IPsec state #23 - due to duplicate acquire?
What can I do so that the private#10.8.128.0/17 address range takes effect, while both established and newly established connections work as expected?
it takes a few seconds for the policies and connections to load. Can you restart, then after 3 seconds or so run: ipsec status
after you tried to ping some known destination that should match, can you then type: ipsec status ipsec shuntstatus
Please do not provide any logs or debugging where you firewalled port 500 or 4500. That is just broken and not helpful at all in determining anything.
note that you should see the opportunistic group for the /17. this is a %trap policy so in ip xfrm policy it appears as 1 out rule. Then when you ping, the group connection gets instantiated for that single IP. It gets a shunt policy to prevent leaking and eventually that becomes a permanent shunt on failure or a proper IPsec tunnel policy.
it takes a few seconds for the policies and connections to load. Can you restart, then after 3 seconds or so run: ipsec status
after you tried to ping some known destination that should match, can you then type: ipsec status ipsec shuntstatus
Please do not provide any logs or debugging where you firewalled port 500 or 4500. That is just broken and not helpful at all in determining anything.
I executed following command: ipsec restart;sleep 3.2; ipsec status The status showed:
000 using kernel interface: xfrm
000
000 interface lo UDP 127.0.0.1:4500
000 interface lo UDP 127.0.0.1:500
000 interface bond0 UDP 10.8.174.130:4500
000 interface bond0 UDP 10.8.174.130:500
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=v4.9-587-g6b0b227fc2-main, pluto_vendorid=OE-Libreswan-v4.9-587, audit-log=yes
000 nhelpers=-1, uniqueids=yes, dnssec-enable=no, logappend=yes, logip=yes, shuntlifetime=120s, xfrmlifetime=30s
000 ddos-cookies-threshold=25000, ddos-max-halfopen=50000, ddos-mode=auto, ikev1-policy=accept
000 ikebuf=0, msg_errqueue=yes, crl-strict=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=<unset>
000 secctx-attr-type=32001
000 debug:
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
000
000 Kernel algorithms supported:
000
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH31, bits=256
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "bypass": 10.8.174.130<%bond0>...%opportunisticgroup; unrouted; eroute owner: #0
000 "bypass": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "bypass": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "bypass": our auth:never, their auth:never, our autheap:none, their autheap:none;
000 "bypass": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "bypass": sec_label:unset;
000 "bypass": ike_life: 0s; ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "bypass": retransmit-interval: 0ms; retransmit-timeout: 0s; iketcp:no; iketcp-port:0;
000 "bypass": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "bypass": policy: IKEv2+AUTH_NEVER+OPPORTUNISTIC+GROUP+GROUTED+PASS+NEVER_NEGOTIATE;
000 "bypass": v2-auth-hash-policy: none;
000 "bypass": conn_prio: 32,0; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "bypass": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "bypass": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "bypass": liveness: passive; dpdaction:disabled; dpddelay:0s; retransmit-timeout:0s
000 "bypass": nat-traversal: encaps:no; keepalive:no
000 "bypass": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $1;
000 "bypass#0.0.0.0/0-(0--1--0)": 10.8.174.130/32:ICMP/0===10.8.174.130<%bond0>...%opportunistic===0.0.0.0/0:ICMP/0; prospective erouted; eroute owner: #0
000 "bypass#0.0.0.0/0-(0--1--0)": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "bypass#0.0.0.0/0-(0--1--0)": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "bypass#0.0.0.0/0-(0--1--0)": our auth:never, their auth:never, our autheap:none, their autheap:none;
000 "bypass#0.0.0.0/0-(0--1--0)": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "bypass#0.0.0.0/0-(0--1--0)": sec_label:unset;
000 "bypass#0.0.0.0/0-(0--1--0)": ike_life: 0s; ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "bypass#0.0.0.0/0-(0--1--0)": retransmit-interval: 0ms; retransmit-timeout: 0s; iketcp:no; iketcp-port:0;
000 "bypass#0.0.0.0/0-(0--1--0)": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "bypass#0.0.0.0/0-(0--1--0)": policy: IKEv2+AUTH_NEVER+OPPORTUNISTIC+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "bypass#0.0.0.0/0-(0--1--0)": v2-auth-hash-policy: none;
000 "bypass#0.0.0.0/0-(0--1--0)": conn_prio: 32,0; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "bypass#0.0.0.0/0-(0--1--0)": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "bypass#0.0.0.0/0-(0--1--0)": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "bypass#0.0.0.0/0-(0--1--0)": liveness: passive; dpdaction:disabled; dpddelay:0s; retransmit-timeout:0s
000 "bypass#0.0.0.0/0-(0--1--0)": nat-traversal: encaps:no; keepalive:no
000 "bypass#0.0.0.0/0-(0--1--0)": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $10, instantiated from: $1;
000 "bypass#0.0.0.0/0-(0--6--10350)": 10.8.174.130/32:TCP/0-65535===10.8.174.130<%bond0>...%opportunistic===0.0.0.0/0:TCP/10350; prospective erouted; eroute owner: #0
000 "bypass#0.0.0.0/0-(0--6--10350)": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "bypass#0.0.0.0/0-(0--6--10350)": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "bypass#0.0.0.0/0-(0--6--10350)": our auth:never, their auth:never, our autheap:none, their autheap:none;
000 "bypass#0.0.0.0/0-(0--6--10350)": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "bypass#0.0.0.0/0-(0--6--10350)": sec_label:unset;
000 "bypass#0.0.0.0/0-(0--6--10350)": ike_life: 0s; ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "bypass#0.0.0.0/0-(0--6--10350)": retransmit-interval: 0ms; retransmit-timeout: 0s; iketcp:no; iketcp-port:0;
000 "bypass#0.0.0.0/0-(0--6--10350)": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "bypass#0.0.0.0/0-(0--6--10350)": policy: IKEv2+AUTH_NEVER+OPPORTUNISTIC+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "bypass#0.0.0.0/0-(0--6--10350)": v2-auth-hash-policy: none;
000 "bypass#0.0.0.0/0-(0--6--10350)": conn_prio: 32,0; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "bypass#0.0.0.0/0-(0--6--10350)": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "bypass#0.0.0.0/0-(0--6--10350)": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "bypass#0.0.0.0/0-(0--6--10350)": liveness: passive; dpdaction:disabled; dpddelay:0s; retransmit-timeout:0s
000 "bypass#0.0.0.0/0-(0--6--10350)": nat-traversal: encaps:no; keepalive:no
000 "bypass#0.0.0.0/0-(0--6--10350)": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $12, instantiated from: $1;
000 "bypass#0.0.0.0/0-(10350--6--0)": 10.8.174.130/32:TCP/10350===10.8.174.130<%bond0>...%opportunistic===0.0.0.0/0:TCP/0-65535; prospective erouted; eroute owner: #0
000 "bypass#0.0.0.0/0-(10350--6--0)": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "bypass#0.0.0.0/0-(10350--6--0)": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "bypass#0.0.0.0/0-(10350--6--0)": our auth:never, their auth:never, our autheap:none, their autheap:none;
000 "bypass#0.0.0.0/0-(10350--6--0)": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "bypass#0.0.0.0/0-(10350--6--0)": sec_label:unset;
000 "bypass#0.0.0.0/0-(10350--6--0)": ike_life: 0s; ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "bypass#0.0.0.0/0-(10350--6--0)": retransmit-interval: 0ms; retransmit-timeout: 0s; iketcp:no; iketcp-port:0;
000 "bypass#0.0.0.0/0-(10350--6--0)": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "bypass#0.0.0.0/0-(10350--6--0)": policy: IKEv2+AUTH_NEVER+OPPORTUNISTIC+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "bypass#0.0.0.0/0-(10350--6--0)": v2-auth-hash-policy: none;
000 "bypass#0.0.0.0/0-(10350--6--0)": conn_prio: 32,0; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "bypass#0.0.0.0/0-(10350--6--0)": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "bypass#0.0.0.0/0-(10350--6--0)": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "bypass#0.0.0.0/0-(10350--6--0)": liveness: passive; dpdaction:disabled; dpddelay:0s; retransmit-timeout:0s
000 "bypass#0.0.0.0/0-(10350--6--0)": nat-traversal: encaps:no; keepalive:no
000 "bypass#0.0.0.0/0-(10350--6--0)": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $11, instantiated from: $1;
000 "bypass#0.0.0.0/0-(22--6--0)": 10.8.174.130/32:TCP/22===10.8.174.130<%bond0>...%opportunistic===0.0.0.0/0:TCP/0-65535; prospective erouted; eroute owner: #0
000 "bypass#0.0.0.0/0-(22--6--0)": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "bypass#0.0.0.0/0-(22--6--0)": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "bypass#0.0.0.0/0-(22--6--0)": our auth:never, their auth:never, our autheap:none, their autheap:none;
000 "bypass#0.0.0.0/0-(22--6--0)": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "bypass#0.0.0.0/0-(22--6--0)": sec_label:unset;
000 "bypass#0.0.0.0/0-(22--6--0)": ike_life: 0s; ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "bypass#0.0.0.0/0-(22--6--0)": retransmit-interval: 0ms; retransmit-timeout: 0s; iketcp:no; iketcp-port:0;
000 "bypass#0.0.0.0/0-(22--6--0)": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "bypass#0.0.0.0/0-(22--6--0)": policy: IKEv2+AUTH_NEVER+OPPORTUNISTIC+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "bypass#0.0.0.0/0-(22--6--0)": v2-auth-hash-policy: none;
000 "bypass#0.0.0.0/0-(22--6--0)": conn_prio: 32,0; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "bypass#0.0.0.0/0-(22--6--0)": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "bypass#0.0.0.0/0-(22--6--0)": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "bypass#0.0.0.0/0-(22--6--0)": liveness: passive; dpdaction:disabled; dpddelay:0s; retransmit-timeout:0s
000 "bypass#0.0.0.0/0-(22--6--0)": nat-traversal: encaps:no; keepalive:no
000 "bypass#0.0.0.0/0-(22--6--0)": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $9, instantiated from: $1;
000 "bypass#10.8.174.66/32": 10.8.174.130<%bond0>...%opportunistic===10.8.174.66/32; prospective erouted; eroute owner: #0
000 "bypass#10.8.174.66/32": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "bypass#10.8.174.66/32": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "bypass#10.8.174.66/32": our auth:never, their auth:never, our autheap:none, their autheap:none;
000 "bypass#10.8.174.66/32": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "bypass#10.8.174.66/32": sec_label:unset;
000 "bypass#10.8.174.66/32": ike_life: 0s; ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "bypass#10.8.174.66/32": retransmit-interval: 0ms; retransmit-timeout: 0s; iketcp:no; iketcp-port:0;
000 "bypass#10.8.174.66/32": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "bypass#10.8.174.66/32": policy: IKEv2+AUTH_NEVER+OPPORTUNISTIC+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "bypass#10.8.174.66/32": v2-auth-hash-policy: none;
000 "bypass#10.8.174.66/32": conn_prio: 32,32; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "bypass#10.8.174.66/32": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "bypass#10.8.174.66/32": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "bypass#10.8.174.66/32": liveness: passive; dpdaction:disabled; dpddelay:0s; retransmit-timeout:0s
000 "bypass#10.8.174.66/32": nat-traversal: encaps:no; keepalive:no
000 "bypass#10.8.174.66/32": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $8, instantiated from: $1;
000 "bypass#10.8.174.67/32": 10.8.174.130<%bond0>...%opportunistic===10.8.174.67/32; prospective erouted; eroute owner: #0
000 "bypass#10.8.174.67/32": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "bypass#10.8.174.67/32": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "bypass#10.8.174.67/32": our auth:never, their auth:never, our autheap:none, their autheap:none;
000 "bypass#10.8.174.67/32": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "bypass#10.8.174.67/32": sec_label:unset;
000 "bypass#10.8.174.67/32": ike_life: 0s; ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "bypass#10.8.174.67/32": retransmit-interval: 0ms; retransmit-timeout: 0s; iketcp:no; iketcp-port:0;
000 "bypass#10.8.174.67/32": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "bypass#10.8.174.67/32": policy: IKEv2+AUTH_NEVER+OPPORTUNISTIC+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "bypass#10.8.174.67/32": v2-auth-hash-policy: none;
000 "bypass#10.8.174.67/32": conn_prio: 32,32; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "bypass#10.8.174.67/32": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "bypass#10.8.174.67/32": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "bypass#10.8.174.67/32": liveness: passive; dpdaction:disabled; dpddelay:0s; retransmit-timeout:0s
000 "bypass#10.8.174.67/32": nat-traversal: encaps:no; keepalive:no
000 "bypass#10.8.174.67/32": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $7, instantiated from: $1;
000 "bypass#10.8.174.68/32": 10.8.174.130<%bond0>...%opportunistic===10.8.174.68/32; prospective erouted; eroute owner: #0
000 "bypass#10.8.174.68/32": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "bypass#10.8.174.68/32": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "bypass#10.8.174.68/32": our auth:never, their auth:never, our autheap:none, their autheap:none;
000 "bypass#10.8.174.68/32": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "bypass#10.8.174.68/32": sec_label:unset;
000 "bypass#10.8.174.68/32": ike_life: 0s; ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "bypass#10.8.174.68/32": retransmit-interval: 0ms; retransmit-timeout: 0s; iketcp:no; iketcp-port:0;
000 "bypass#10.8.174.68/32": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "bypass#10.8.174.68/32": policy: IKEv2+AUTH_NEVER+OPPORTUNISTIC+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "bypass#10.8.174.68/32": v2-auth-hash-policy: none;
000 "bypass#10.8.174.68/32": conn_prio: 32,32; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "bypass#10.8.174.68/32": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "bypass#10.8.174.68/32": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "bypass#10.8.174.68/32": liveness: passive; dpdaction:disabled; dpddelay:0s; retransmit-timeout:0s
000 "bypass#10.8.174.68/32": nat-traversal: encaps:no; keepalive:no
000 "bypass#10.8.174.68/32": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $6, instantiated from: $1;
000 "bypass#10.8.174.69/32": 10.8.174.130<%bond0>...%opportunistic===10.8.174.69/32; prospective erouted; eroute owner: #0
000 "bypass#10.8.174.69/32": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "bypass#10.8.174.69/32": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "bypass#10.8.174.69/32": our auth:never, their auth:never, our autheap:none, their autheap:none;
000 "bypass#10.8.174.69/32": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "bypass#10.8.174.69/32": sec_label:unset;
000 "bypass#10.8.174.69/32": ike_life: 0s; ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "bypass#10.8.174.69/32": retransmit-interval: 0ms; retransmit-timeout: 0s; iketcp:no; iketcp-port:0;
000 "bypass#10.8.174.69/32": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "bypass#10.8.174.69/32": policy: IKEv2+AUTH_NEVER+OPPORTUNISTIC+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "bypass#10.8.174.69/32": v2-auth-hash-policy: none;
000 "bypass#10.8.174.69/32": conn_prio: 32,32; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "bypass#10.8.174.69/32": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "bypass#10.8.174.69/32": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "bypass#10.8.174.69/32": liveness: passive; dpdaction:disabled; dpddelay:0s; retransmit-timeout:0s
000 "bypass#10.8.174.69/32": nat-traversal: encaps:no; keepalive:no
000 "bypass#10.8.174.69/32": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $5, instantiated from: $1;
000 "bypass#10.8.174.70/32": 10.8.174.130<%bond0>...%opportunistic===10.8.174.70/32; prospective erouted; eroute owner: #0
000 "bypass#10.8.174.70/32": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "bypass#10.8.174.70/32": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "bypass#10.8.174.70/32": our auth:never, their auth:never, our autheap:none, their autheap:none;
000 "bypass#10.8.174.70/32": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "bypass#10.8.174.70/32": sec_label:unset;
000 "bypass#10.8.174.70/32": ike_life: 0s; ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "bypass#10.8.174.70/32": retransmit-interval: 0ms; retransmit-timeout: 0s; iketcp:no; iketcp-port:0;
000 "bypass#10.8.174.70/32": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "bypass#10.8.174.70/32": policy: IKEv2+AUTH_NEVER+OPPORTUNISTIC+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "bypass#10.8.174.70/32": v2-auth-hash-policy: none;
000 "bypass#10.8.174.70/32": conn_prio: 32,32; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "bypass#10.8.174.70/32": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "bypass#10.8.174.70/32": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "bypass#10.8.174.70/32": liveness: passive; dpdaction:disabled; dpddelay:0s; retransmit-timeout:0s
000 "bypass#10.8.174.70/32": nat-traversal: encaps:no; keepalive:no
000 "bypass#10.8.174.70/32": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $4, instantiated from: $1;
000 "bypass#10.8.174.71/32": 10.8.174.130<%bond0>...%opportunistic===10.8.174.71/32; prospective erouted; eroute owner: #0
000 "bypass#10.8.174.71/32": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "bypass#10.8.174.71/32": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "bypass#10.8.174.71/32": our auth:never, their auth:never, our autheap:none, their autheap:none;
000 "bypass#10.8.174.71/32": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "bypass#10.8.174.71/32": sec_label:unset;
000 "bypass#10.8.174.71/32": ike_life: 0s; ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "bypass#10.8.174.71/32": retransmit-interval: 0ms; retransmit-timeout: 0s; iketcp:no; iketcp-port:0;
000 "bypass#10.8.174.71/32": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "bypass#10.8.174.71/32": policy: IKEv2+AUTH_NEVER+OPPORTUNISTIC+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "bypass#10.8.174.71/32": v2-auth-hash-policy: none;
000 "bypass#10.8.174.71/32": conn_prio: 32,32; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "bypass#10.8.174.71/32": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "bypass#10.8.174.71/32": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "bypass#10.8.174.71/32": liveness: passive; dpdaction:disabled; dpddelay:0s; retransmit-timeout:0s
000 "bypass#10.8.174.71/32": nat-traversal: encaps:no; keepalive:no
000 "bypass#10.8.174.71/32": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $3, instantiated from: $1;
000 "bypass#10.8.175.0/24": 10.8.174.130<%bond0>...%opportunistic===10.8.175.0/24; prospective erouted; eroute owner: #0
000 "bypass#10.8.175.0/24": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "bypass#10.8.175.0/24": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "bypass#10.8.175.0/24": our auth:never, their auth:never, our autheap:none, their autheap:none;
000 "bypass#10.8.175.0/24": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "bypass#10.8.175.0/24": sec_label:unset;
000 "bypass#10.8.175.0/24": ike_life: 0s; ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "bypass#10.8.175.0/24": retransmit-interval: 0ms; retransmit-timeout: 0s; iketcp:no; iketcp-port:0;
000 "bypass#10.8.175.0/24": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "bypass#10.8.175.0/24": policy: IKEv2+AUTH_NEVER+OPPORTUNISTIC+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "bypass#10.8.175.0/24": v2-auth-hash-policy: none;
000 "bypass#10.8.175.0/24": conn_prio: 32,24; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "bypass#10.8.175.0/24": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "bypass#10.8.175.0/24": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "bypass#10.8.175.0/24": liveness: passive; dpdaction:disabled; dpddelay:0s; retransmit-timeout:0s
000 "bypass#10.8.175.0/24": nat-traversal: encaps:no; keepalive:no
000 "bypass#10.8.175.0/24": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $17, instantiated from: $1;
000 "bypass#11.73.0.0/16-(0--17--8888)": 10.8.174.130/32:UDP/0-65535===10.8.174.130<%bond0>...%opportunistic===11.73.0.0/16:UDP/8888; prospective erouted; eroute owner: #0
000 "bypass#11.73.0.0/16-(0--17--8888)": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "bypass#11.73.0.0/16-(0--17--8888)": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "bypass#11.73.0.0/16-(0--17--8888)": our auth:never, their auth:never, our autheap:none, their autheap:none;
000 "bypass#11.73.0.0/16-(0--17--8888)": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "bypass#11.73.0.0/16-(0--17--8888)": sec_label:unset;
000 "bypass#11.73.0.0/16-(0--17--8888)": ike_life: 0s; ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "bypass#11.73.0.0/16-(0--17--8888)": retransmit-interval: 0ms; retransmit-timeout: 0s; iketcp:no; iketcp-port:0;
000 "bypass#11.73.0.0/16-(0--17--8888)": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "bypass#11.73.0.0/16-(0--17--8888)": policy: IKEv2+AUTH_NEVER+OPPORTUNISTIC+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "bypass#11.73.0.0/16-(0--17--8888)": v2-auth-hash-policy: none;
000 "bypass#11.73.0.0/16-(0--17--8888)": conn_prio: 32,16; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "bypass#11.73.0.0/16-(0--17--8888)": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "bypass#11.73.0.0/16-(0--17--8888)": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "bypass#11.73.0.0/16-(0--17--8888)": liveness: passive; dpdaction:disabled; dpddelay:0s; retransmit-timeout:0s
000 "bypass#11.73.0.0/16-(0--17--8888)": nat-traversal: encaps:no; keepalive:no
000 "bypass#11.73.0.0/16-(0--17--8888)": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $14, instantiated from: $1;
000 "bypass#11.73.0.0/16-(0--6--443)": 10.8.174.130/32:TCP/0-65535===10.8.174.130<%bond0>...%opportunistic===11.73.0.0/16:TCP/443; prospective erouted; eroute owner: #0
000 "bypass#11.73.0.0/16-(0--6--443)": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "bypass#11.73.0.0/16-(0--6--443)": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "bypass#11.73.0.0/16-(0--6--443)": our auth:never, their auth:never, our autheap:none, their autheap:none;
000 "bypass#11.73.0.0/16-(0--6--443)": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "bypass#11.73.0.0/16-(0--6--443)": sec_label:unset;
000 "bypass#11.73.0.0/16-(0--6--443)": ike_life: 0s; ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "bypass#11.73.0.0/16-(0--6--443)": retransmit-interval: 0ms; retransmit-timeout: 0s; iketcp:no; iketcp-port:0;
000 "bypass#11.73.0.0/16-(0--6--443)": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "bypass#11.73.0.0/16-(0--6--443)": policy: IKEv2+AUTH_NEVER+OPPORTUNISTIC+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "bypass#11.73.0.0/16-(0--6--443)": v2-auth-hash-policy: none;
000 "bypass#11.73.0.0/16-(0--6--443)": conn_prio: 32,16; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "bypass#11.73.0.0/16-(0--6--443)": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "bypass#11.73.0.0/16-(0--6--443)": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "bypass#11.73.0.0/16-(0--6--443)": liveness: passive; dpdaction:disabled; dpddelay:0s; retransmit-timeout:0s
000 "bypass#11.73.0.0/16-(0--6--443)": nat-traversal: encaps:no; keepalive:no
000 "bypass#11.73.0.0/16-(0--6--443)": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $15, instantiated from: $1;
000 "bypass#11.73.0.0/16-(0--6--8888)": 10.8.174.130/32:TCP/0-65535===10.8.174.130<%bond0>...%opportunistic===11.73.0.0/16:TCP/8888; prospective erouted; eroute owner: #0
000 "bypass#11.73.0.0/16-(0--6--8888)": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "bypass#11.73.0.0/16-(0--6--8888)": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "bypass#11.73.0.0/16-(0--6--8888)": our auth:never, their auth:never, our autheap:none, their autheap:none;
000 "bypass#11.73.0.0/16-(0--6--8888)": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "bypass#11.73.0.0/16-(0--6--8888)": sec_label:unset;
000 "bypass#11.73.0.0/16-(0--6--8888)": ike_life: 0s; ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "bypass#11.73.0.0/16-(0--6--8888)": retransmit-interval: 0ms; retransmit-timeout: 0s; iketcp:no; iketcp-port:0;
000 "bypass#11.73.0.0/16-(0--6--8888)": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "bypass#11.73.0.0/16-(0--6--8888)": policy: IKEv2+AUTH_NEVER+OPPORTUNISTIC+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "bypass#11.73.0.0/16-(0--6--8888)": v2-auth-hash-policy: none;
000 "bypass#11.73.0.0/16-(0--6--8888)": conn_prio: 32,16; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "bypass#11.73.0.0/16-(0--6--8888)": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "bypass#11.73.0.0/16-(0--6--8888)": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "bypass#11.73.0.0/16-(0--6--8888)": liveness: passive; dpdaction:disabled; dpddelay:0s; retransmit-timeout:0s
000 "bypass#11.73.0.0/16-(0--6--8888)": nat-traversal: encaps:no; keepalive:no
000 "bypass#11.73.0.0/16-(0--6--8888)": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $13, instantiated from: $1;
000 "bypass#192.168.0.0/16-(0--17--8888)": 10.8.174.130/32:UDP/0-65535===10.8.174.130<%bond0>...%opportunistic===192.168.0.0/16:UDP/8888; prospective erouted; eroute owner: #0
000 "bypass#192.168.0.0/16-(0--17--8888)": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "bypass#192.168.0.0/16-(0--17--8888)": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "bypass#192.168.0.0/16-(0--17--8888)": our auth:never, their auth:never, our autheap:none, their autheap:none;
000 "bypass#192.168.0.0/16-(0--17--8888)": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "bypass#192.168.0.0/16-(0--17--8888)": sec_label:unset;
000 "bypass#192.168.0.0/16-(0--17--8888)": ike_life: 0s; ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%;keyingtries: 0;
000 "bypass#192.168.0.0/16-(0--17--8888)": retransmit-interval: 0ms; retransmit-timeout: 0s; iketcp:no; iketcp-port:0;
000 "bypass#192.168.0.0/16-(0--17--8888)": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "bypass#192.168.0.0/16-(0--17--8888)": policy: IKEv2+AUTH_NEVER+OPPORTUNISTIC+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "bypass#192.168.0.0/16-(0--17--8888)": v2-auth-hash-policy: none;
000 "bypass#192.168.0.0/16-(0--17--8888)": conn_prio: 32,16; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "bypass#192.168.0.0/16-(0--17--8888)": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "bypass#192.168.0.0/16-(0--17--8888)": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "bypass#192.168.0.0/16-(0--17--8888)": liveness: passive; dpdaction:disabled; dpddelay:0s; retransmit-timeout:0s
000 "bypass#192.168.0.0/16-(0--17--8888)": nat-traversal: encaps:no; keepalive:no
000 "bypass#192.168.0.0/16-(0--17--8888)": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $19, instantiated from: $1;
000 "bypass#192.168.0.0/16-(0--6--443)": 10.8.174.130/32:TCP/0-65535===10.8.174.130<%bond0>...%opportunistic===192.168.0.0/16:TCP/443; prospective erouted; eroute owner:#0
000 "bypass#192.168.0.0/16-(0--6--443)": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "bypass#192.168.0.0/16-(0--6--443)": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "bypass#192.168.0.0/16-(0--6--443)": our auth:never, their auth:never, our autheap:none, their autheap:none;
000 "bypass#192.168.0.0/16-(0--6--443)": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "bypass#192.168.0.0/16-(0--6--443)": sec_label:unset;
000 "bypass#192.168.0.0/16-(0--6--443)": ike_life: 0s; ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "bypass#192.168.0.0/16-(0--6--443)": retransmit-interval: 0ms; retransmit-timeout: 0s; iketcp:no; iketcp-port:0;
000 "bypass#192.168.0.0/16-(0--6--443)": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "bypass#192.168.0.0/16-(0--6--443)": policy: IKEv2+AUTH_NEVER+OPPORTUNISTIC+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "bypass#192.168.0.0/16-(0--6--443)": v2-auth-hash-policy: none;
000 "bypass#192.168.0.0/16-(0--6--443)": conn_prio: 32,16; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "bypass#192.168.0.0/16-(0--6--443)": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "bypass#192.168.0.0/16-(0--6--443)": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "bypass#192.168.0.0/16-(0--6--443)": liveness: passive; dpdaction:disabled; dpddelay:0s; retransmit-timeout:0s
000 "bypass#192.168.0.0/16-(0--6--443)": nat-traversal: encaps:no; keepalive:no
000 "bypass#192.168.0.0/16-(0--6--443)": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $16, instantiated from: $1;
000 "bypass#192.168.0.0/16-(0--6--8888)": 10.8.174.130/32:TCP/0-65535===10.8.174.130<%bond0>...%opportunistic===192.168.0.0/16:TCP/8888; prospective erouted; eroute owner: #0
000 "bypass#192.168.0.0/16-(0--6--8888)": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "bypass#192.168.0.0/16-(0--6--8888)": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "bypass#192.168.0.0/16-(0--6--8888)": our auth:never, their auth:never, our autheap:none, their autheap:none;
000 "bypass#192.168.0.0/16-(0--6--8888)": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "bypass#192.168.0.0/16-(0--6--8888)": sec_label:unset;
000 "bypass#192.168.0.0/16-(0--6--8888)": ike_life: 0s; ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "bypass#192.168.0.0/16-(0--6--8888)": retransmit-interval: 0ms; retransmit-timeout: 0s; iketcp:no; iketcp-port:0;
000 "bypass#192.168.0.0/16-(0--6--8888)": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "bypass#192.168.0.0/16-(0--6--8888)": policy: IKEv2+AUTH_NEVER+OPPORTUNISTIC+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "bypass#192.168.0.0/16-(0--6--8888)": v2-auth-hash-policy: none;
000 "bypass#192.168.0.0/16-(0--6--8888)": conn_prio: 32,16; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "bypass#192.168.0.0/16-(0--6--8888)": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "bypass#192.168.0.0/16-(0--6--8888)": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "bypass#192.168.0.0/16-(0--6--8888)": liveness: passive; dpdaction:disabled; dpddelay:0s; retransmit-timeout:0s
000 "bypass#192.168.0.0/16-(0--6--8888)": nat-traversal: encaps:no; keepalive:no
000 "bypass#192.168.0.0/16-(0--6--8888)": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $18, instantiated from: $1;
000 "private": 10.8.174.130<%bond0>...%opportunisticgroup; unrouted; eroute owner: #0
000 "private": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "private": our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "private": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "private": sec_label:unset;
000 "private": ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;
000 "private": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "private": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private": policy: IKEv2+PSK+ENCRYPT+PFS+DONT_REKEY+OPPORTUNISTIC+GROUP+GROUTED+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+NEGO_PASS;
000 "private": v2-auth-hash-policy: none;
000 "private": conn_prio: 32,0; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "private": liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:60s
000 "private": nat-traversal: encaps:auto; keepalive:20s
000 "private": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $2;
000 "private": ESP algorithms: AES_GCM_16-NONE
000 "private#10.8.128.0/17": 10.8.174.130<%bond0>...%opportunistic===10.8.128.0/17; unrouted; eroute owner: #0
000 "private#10.8.128.0/17": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private#10.8.128.0/17": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "private#10.8.128.0/17": our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "private#10.8.128.0/17": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "private#10.8.128.0/17": sec_label:unset;
000 "private#10.8.128.0/17": ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz:100%; keyingtries: 1;
000 "private#10.8.128.0/17": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "private#10.8.128.0/17": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private#10.8.128.0/17": policy: IKEv2+PSK+ENCRYPT+PFS+DONT_REKEY+OPPORTUNISTIC+GROUPINSTANCE+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+NEGO_PASS;
000 "private#10.8.128.0/17": v2-auth-hash-policy: none;
000 "private#10.8.128.0/17": conn_prio: 32,17; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private#10.8.128.0/17": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private#10.8.128.0/17": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "private#10.8.128.0/17": liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:60s
000 "private#10.8.128.0/17": nat-traversal: encaps:auto; keepalive:20s
000 "private#10.8.128.0/17": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $27, instantiated from: $2;
000 "private#10.8.128.0/17": ESP algorithms: AES_GCM_16-NONE
000 "private#10.8.128.0/17"[1]: 10.8.174.130<%bond0>...10.8.174.73; erouted; eroute owner: #2
000 "private#10.8.128.0/17"[1]: oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private#10.8.128.0/17"[1]: xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "private#10.8.128.0/17"[1]: our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "private#10.8.128.0/17"[1]: modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "private#10.8.128.0/17"[1]: sec_label:unset;
000 "private#10.8.128.0/17"[1]: ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;
000 "private#10.8.128.0/17"[1]: retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "private#10.8.128.0/17"[1]: initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private#10.8.128.0/17"[1]: policy: IKEv2+PSK+ENCRYPT+PFS+DONT_REKEY+OPPORTUNISTIC+GROUPINSTANCE+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+NEGO_PASS;
000 "private#10.8.128.0/17"[1]: v2-auth-hash-policy: none;
000 "private#10.8.128.0/17"[1]: conn_prio: 32,32; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private#10.8.128.0/17"[1]: nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private#10.8.128.0/17"[1]: our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: ID_IPV4_ADDR; their id=10.8.174.73
000 "private#10.8.128.0/17"[1]: liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:60s
000 "private#10.8.128.0/17"[1]: nat-traversal: encaps:auto; keepalive:20s
000 "private#10.8.128.0/17"[1]: newest IKE SA: #1; newest IPsec SA: #2; conn serial: $28, instantiated from: $27;
000 "private#10.8.128.0/17"[1]: IKEv2 algorithm newest: AES_GCM_16_256-HMAC_SHA2_512-MODP2048
000 "private#10.8.128.0/17"[1]: ESP algorithms: AES_GCM_16-NONE
000 "private#10.8.128.0/17"[1]: ESP algorithm newest: AES_GCM_16_128-NONE; pfsgroup=<Phase1>
000 "private#10.8.128.0/17"[2]: 10.8.174.130<%bond0>...10.8.174.132; erouted; eroute owner: #4
000 "private#10.8.128.0/17"[2]: oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private#10.8.128.0/17"[2]: xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "private#10.8.128.0/17"[2]: our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "private#10.8.128.0/17"[2]: modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "private#10.8.128.0/17"[2]: sec_label:unset;
000 "private#10.8.128.0/17"[2]: ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;
000 "private#10.8.128.0/17"[2]: retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "private#10.8.128.0/17"[2]: initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private#10.8.128.0/17"[2]: policy: IKEv2+PSK+ENCRYPT+PFS+DONT_REKEY+OPPORTUNISTIC+GROUPINSTANCE+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+NEGO_PASS;
000 "private#10.8.128.0/17"[2]: v2-auth-hash-policy: none;
000 "private#10.8.128.0/17"[2]: conn_prio: 32,32; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private#10.8.128.0/17"[2]: nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private#10.8.128.0/17"[2]: our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: ID_IPV4_ADDR; their id=10.8.174.132
000 "private#10.8.128.0/17"[2]: liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:60s
000 "private#10.8.128.0/17"[2]: nat-traversal: encaps:auto; keepalive:20s
000 "private#10.8.128.0/17"[2]: newest IKE SA: #3; newest IPsec SA: #4; conn serial: $29, instantiated from: $27;
000 "private#10.8.128.0/17"[2]: IKEv2 algorithm newest: AES_GCM_16_256-HMAC_SHA2_512-MODP2048
000 "private#10.8.128.0/17"[2]: ESP algorithms: AES_GCM_16-NONE
000 "private#10.8.128.0/17"[2]: ESP algorithm newest: AES_GCM_16_128-NONE; pfsgroup=<Phase1>
000 "private#11.111.65.65/32": 10.8.174.130<%bond0>...%opportunistic===11.111.65.65/32; prospective erouted; eroute owner: #0
000 "private#11.111.65.65/32": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private#11.111.65.65/32": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "private#11.111.65.65/32": our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "private#11.111.65.65/32": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "private#11.111.65.65/32": sec_label:unset;
000 "private#11.111.65.65/32": ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;
000 "private#11.111.65.65/32": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "private#11.111.65.65/32": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private#11.111.65.65/32": policy: IKEv2+PSK+ENCRYPT+PFS+DONT_REKEY+OPPORTUNISTIC+GROUPINSTANCE+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+NEGO_PASS;
000 "private#11.111.65.65/32": v2-auth-hash-policy: none;
000 "private#11.111.65.65/32": conn_prio: 32,32; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private#11.111.65.65/32": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private#11.111.65.65/32": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "private#11.111.65.65/32": liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:60s
000 "private#11.111.65.65/32": nat-traversal: encaps:auto; keepalive:20s
000 "private#11.111.65.65/32": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $23, instantiated from: $2;
000 "private#11.111.65.65/32": ESP algorithms: AES_GCM_16-NONE
000 "private#11.111.65.66/32": 10.8.174.130<%bond0>...%opportunistic===11.111.65.66/32; prospective erouted; eroute owner: #0
000 "private#11.111.65.66/32": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private#11.111.65.66/32": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "private#11.111.65.66/32": our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "private#11.111.65.66/32": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "private#11.111.65.66/32": sec_label:unset;
000 "private#11.111.65.66/32": ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;
000 "private#11.111.65.66/32": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "private#11.111.65.66/32": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private#11.111.65.66/32": policy: IKEv2+PSK+ENCRYPT+PFS+DONT_REKEY+OPPORTUNISTIC+GROUPINSTANCE+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+NEGO_PASS;
000 "private#11.111.65.66/32": v2-auth-hash-policy: none;
000 "private#11.111.65.66/32": conn_prio: 32,32; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private#11.111.65.66/32": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private#11.111.65.66/32": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "private#11.111.65.66/32": liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:60s
000 "private#11.111.65.66/32": nat-traversal: encaps:auto; keepalive:20s
000 "private#11.111.65.66/32": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $22, instantiated from: $2;
000 "private#11.111.65.66/32": ESP algorithms: AES_GCM_16-NONE
000 "private#11.121.0.0/16": 10.8.174.130<%bond0>...%opportunistic===11.121.0.0/16; prospective erouted; eroute owner: #0
000 "private#11.121.0.0/16": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private#11.121.0.0/16": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "private#11.121.0.0/16": our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "private#11.121.0.0/16": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "private#11.121.0.0/16": sec_label:unset;
000 "private#11.121.0.0/16": ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz:100%; keyingtries: 1;
000 "private#11.121.0.0/16": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "private#11.121.0.0/16": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private#11.121.0.0/16": policy: IKEv2+PSK+ENCRYPT+PFS+DONT_REKEY+OPPORTUNISTIC+GROUPINSTANCE+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+NEGO_PASS;
000 "private#11.121.0.0/16": v2-auth-hash-policy: none;
000 "private#11.121.0.0/16": conn_prio: 32,16; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private#11.121.0.0/16": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private#11.121.0.0/16": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "private#11.121.0.0/16": liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:60s
000 "private#11.121.0.0/16": nat-traversal: encaps:auto; keepalive:20s
000 "private#11.121.0.0/16": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $26, instantiated from: $2;
000 "private#11.121.0.0/16": ESP algorithms: AES_GCM_16-NONE
000 "private#11.73.0.0/16": 10.8.174.130<%bond0>...%opportunistic===11.73.0.0/16; prospective erouted; eroute owner: #0
000 "private#11.73.0.0/16": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private#11.73.0.0/16": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "private#11.73.0.0/16": our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "private#11.73.0.0/16": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "private#11.73.0.0/16": sec_label:unset;
000 "private#11.73.0.0/16": ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;
000 "private#11.73.0.0/16": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "private#11.73.0.0/16": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private#11.73.0.0/16": policy: IKEv2+PSK+ENCRYPT+PFS+DONT_REKEY+OPPORTUNISTIC+GROUPINSTANCE+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+NEGO_PASS;
000 "private#11.73.0.0/16": v2-auth-hash-policy: none;
000 "private#11.73.0.0/16": conn_prio: 32,16; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private#11.73.0.0/16": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private#11.73.0.0/16": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "private#11.73.0.0/16": liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:60s
000 "private#11.73.0.0/16": nat-traversal: encaps:auto; keepalive:20s
000 "private#11.73.0.0/16": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $25, instantiated from: $2;
000 "private#11.73.0.0/16": ESP algorithms: AES_GCM_16-NONE
000 "private#11.74.0.0/16": 10.8.174.130<%bond0>...%opportunistic===11.74.0.0/16; prospective erouted; eroute owner: #0
000 "private#11.74.0.0/16": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private#11.74.0.0/16": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "private#11.74.0.0/16": our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "private#11.74.0.0/16": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "private#11.74.0.0/16": sec_label:unset;
000 "private#11.74.0.0/16": ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;
000 "private#11.74.0.0/16": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "private#11.74.0.0/16": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private#11.74.0.0/16": policy: IKEv2+PSK+ENCRYPT+PFS+DONT_REKEY+OPPORTUNISTIC+GROUPINSTANCE+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+NEGO_PASS;
000 "private#11.74.0.0/16": v2-auth-hash-policy: none;
000 "private#11.74.0.0/16": conn_prio: 32,16; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private#11.74.0.0/16": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private#11.74.0.0/16": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "private#11.74.0.0/16": liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:60s
000 "private#11.74.0.0/16": nat-traversal: encaps:auto; keepalive:20s
000 "private#11.74.0.0/16": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $24, instantiated from: $2;
000 "private#11.74.0.0/16": ESP algorithms: AES_GCM_16-NONE
000 "private#192.168.0.0/16": 10.8.174.130<%bond0>...%opportunistic===192.168.0.0/16; prospective erouted; eroute owner: #0
000 "private#192.168.0.0/16": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private#192.168.0.0/16": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "private#192.168.0.0/16": our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "private#192.168.0.0/16": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "private#192.168.0.0/16": sec_label:unset;
000 "private#192.168.0.0/16": ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;
000 "private#192.168.0.0/16": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "private#192.168.0.0/16": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private#192.168.0.0/16": policy: IKEv2+PSK+ENCRYPT+PFS+DONT_REKEY+OPPORTUNISTIC+GROUPINSTANCE+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+NEGO_PASS;
000 "private#192.168.0.0/16": v2-auth-hash-policy: none;
000 "private#192.168.0.0/16": conn_prio: 32,16; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private#192.168.0.0/16": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private#192.168.0.0/16": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "private#192.168.0.0/16": liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:60s
000 "private#192.168.0.0/16": nat-traversal: encaps:auto; keepalive:20s
000 "private#192.168.0.0/16": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $21, instantiated from: $2;
000 "private#192.168.0.0/16": ESP algorithms: AES_GCM_16-NONE
000 "private#3.3.3.3/32": 10.8.174.130<%bond0>...%opportunistic===3.3.3.3/32; prospective erouted; eroute owner: #0
000 "private#3.3.3.3/32": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private#3.3.3.3/32": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "private#3.3.3.3/32": our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "private#3.3.3.3/32": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "private#3.3.3.3/32": sec_label:unset;
000 "private#3.3.3.3/32": ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;
000 "private#3.3.3.3/32": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "private#3.3.3.3/32": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private#3.3.3.3/32": policy: IKEv2+PSK+ENCRYPT+PFS+DONT_REKEY+OPPORTUNISTIC+GROUPINSTANCE+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+NEGO_PASS;
000 "private#3.3.3.3/32": v2-auth-hash-policy: none;
000 "private#3.3.3.3/32": conn_prio: 32,32; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private#3.3.3.3/32": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private#3.3.3.3/32": our idtype: ID_IPV4_ADDR; our id=10.8.174.130; their idtype: %none; their id=(none)
000 "private#3.3.3.3/32": liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:60s
000 "private#3.3.3.3/32": nat-traversal: encaps:auto; keepalive:20s
000 "private#3.3.3.3/32": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $20, instantiated from: $2;
000 "private#3.3.3.3/32": ESP algorithms: AES_GCM_16-NONE
000
000 Total IPsec connections: loaded 29, active 2
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(2), half-open(0), open(0), authenticated(2), anonymous(0)
000 IPsec SAs: total(2), authenticated(2), anonymous(0)
000
000 #1: "private#10.8.128.0/17"[1] ...10.8.174.73:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 28797s; newest; idle;
000 #2: "private#10.8.128.0/17"[1] ...10.8.174.73:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); EXPIRE in 28797s; newest; eroute owner; IKE SA #1; idle;
000 #2: "private#10.8.128.0/17"[1] ...10.8.174.73 [email protected] [email protected] Traffic: ESPin=20B ESPout=40B ESPmax=2^63B
000 #3: "private#10.8.128.0/17"[2] ...10.8.174.132:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EXPIRE in 28797s; newest; idle;
000 #4: "private#10.8.128.0/17"[2] ...10.8.174.132:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); EXPIRE in 28797s; newest; eroute owner; IKE SA #3; idle;
000 #4: "private#10.8.128.0/17"[2] ...10.8.174.132 [email protected] [email protected] Traffic: ESPin=12KB ESPout=89KB ESPmax=2^63B
000
000 Bare Shunt list:
000
Then I type ipsec shuntstatus , it echoed:
000 Bare Shunt list:
000
By the way, this cluster runs programs similar to NFS, and their control surfaces maintain TCP long links. Therefore, during restarting ipsec, it is highly likely that IKE requests has been reached from other servers. I can't guarantee that IKE requests will arrive after pluto loads the policy completely.
for reference https://testing.libreswan.org/v4.9-587-g6b0b227fc2-main/
Are there some methods which I can let pluto reload private#10.8.128.0/17 after it fails. Such as ipsec whack and so on. And How can I do it.
In order to avoid the loading of the policy and the incoming IKE message, a problem occurs that the private ATE# 10.8.128.0/17 cannot be loaded, I tried to have pluto not start at the same time for all the servers on the cluster, starting them at a certain time interval.For example, server1 starts first, server2 starts a few seconds later, and so on. This resulted in a more serious problem: All the servers had incomplete PO ad SA,for example,in 10.8.174.132 (witch stared first):
PO only has one direction: 10.8.174.135/32---->10.8.174.132/32,reqid:16513
PO only has one direction: 10.8.174.133/32---->10.8.174.132/32,reqid:16505
PO only has one direction: 10.8.174.130/32---->10.8.174.132/32,reqid:16497
PO only has one direction: 10.8.174.131/32---->10.8.174.132/32,reqid:16509
PO only has one direction: 10.8.174.134/32---->10.8.174.132/32,reqid:16501
SA has both direction.
As result, the ougoing packets will be dropped. The server can't connect with others. Server 10.8.174.133 which started secondly:
PO only has one direction:10.8.174.134/32---->10.8.174.133/32,reqid:16509
PO only has one direction:10.8.174.135/32---->10.8.174.133/32,reqid:16513
PO only has one direction:10.8.174.131/32---->10.8.174.133/32,reqid:16501
PO only has one direction:10.8.174.130/32---->10.8.174.133/32,reqid:16497
The PO and SA on the server started earlier about the server started later cannot work, they all lack one outgoing direction PO. What's more, over time, this situation does not voluntarily recover.The machines cannot communicate with each other. Below is a section of the log about this exception:
Jul 12 14:35:46.300412: "private#10.8.128.0/17"[5] ...10.8.174.135 #5: STATE_V2_PARENT_I1: retransmission; will wait 1 seconds for response
Jul 12 14:35:47.300488: "private#10.8.128.0/17"[5] ...10.8.174.135 #5: STATE_V2_PARENT_I1: retransmission; will wait 2 seconds for response
Jul 12 14:35:49.300692: "private#10.8.128.0/17"[5] ...10.8.174.135 #5: STATE_V2_PARENT_I1: retransmission; will wait 4 seconds for response
Jul 12 14:35:51.047912: "private#10.8.128.0/17"[5] ...10.8.174.135 #12: received duplicate IKE_SA_INIT message request (Message ID 0); retransmitting response
Jul 12 14:35:51.050612: "private#10.8.128.0/17"[5] ...10.8.174.135 #12: processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr,N(USE_TRANSPORT_MODE)}
Jul 12 14:35:51.050721: "private#10.8.128.0/17"[5] ...10.8.174.135 #12: responder established IKE SA; authenticated peer using authby=secret and ID_IPV4_ADDR '10.8.174.135'
Jul 12 14:35:51.051072: | kernel: get_ipsec_spi() 10.8.174.135-ESP->10.8.174.132 reqid=4081 [1000,ffffffff] for SPI ...
Jul 12 14:35:51.094027: "private#10.8.128.0/17"[5] ...10.8.174.135 #15: responder established Child SA using #12; IPsec transport [10.8.174.132-10.8.174.132:0-65535 0] -> [10.8.174.135-10.8.174.135:0-65535 0] {ESP/ESN=>0x6eafcbf3 <0xe8f3747f xfrm=AES_GCM_16_128-NONE DPD=passive}
Jul 12 14:35:53.301416: "private#10.8.128.0/17"[5] ...10.8.174.135 #5: suppressing retransmit because IKE SA was superseded #12 try=1; drop this negotiation
Jul 12 14:35:53.301441: "private#10.8.128.0/17"[5] ...10.8.174.135 #5: deleting state (STATE_V2_PARENT_I1) aged 8.003979s and NOT sending notification
Jul 12 14:36:38.905633: "private#10.8.128.0/17"[5] ...10.8.174.135 #12: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 48.357756s and sending notification
Jul 12 14:36:38.905826: "private#10.8.128.0/17"[5] ...10.8.174.135 #15: ESP traffic information: in=148KiB out=19KiB
Jul 12 14:36:39.462481: ERROR: kernel: xfrm XFRM_MSG_DELPOLICY delete(UNUSED) response for flow (out): No such file or directory (errno 2)
Jul 12 14:36:39.462488: failed to delete kernel policy bare shunt 0x7f526e101998 10.8.174.132/32->10.8.174.135/32 => NONE 0 oe-failed
This can be replicated stably:
- The ipsec of both server1 and server2 is stopped 2.server1 start ipsec 3.server1 ssh server2, and ipsec of server2 is not stopped
- After a few seconds, server2 ipsec starts, and soon server2 ssh server1. This triggers server2 to send an IKE request to server1.
- The preceding phenomenon occurs after server2 and server1 communicating for a short time The PO & SA on server1:
PO:
src 172.16.74.125/32 dst 172.16.74.128/32
dir in priority 2801856 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16401 mode transport
SA:
src 172.16.74.125 dst 172.16.74.128
proto esp spi 0x92b79182 reqid 16401 mode transport
replay-window 0
aead rfc4106(gcm(aes)) 0x7f5a8d09d077d7c1777ae3ce8196017b810d02dd 128
sel src 172.16.74.125/32 dst 172.16.74.128/32
src 172.16.74.128 dst 172.16.74.125
proto esp spi 0xf2abf307 reqid 16401 mode transport
replay-window 0
aead rfc4106(gcm(aes)) 0xa2b4570a3a9b7ebbf6f495a645aa2fefd1e7b7c4 128
sel src 172.16.74.128/32 dst 172.16.74.125/32
The log of server1:
Jul 12 15:12:27.828555: initiate on-demand for packet 172.16.74.128-TCP->172.16.74.125:22
Jul 12 15:12:28.331143: "private#172.16.74.0/24"[1] ...172.16.74.125 #1: STATE_V2_PARENT_I1: retransmission; will wait 0.5 seconds for response
Jul 12 15:12:28.831558: "private#172.16.74.0/24"[1] ...172.16.74.125 #1: STATE_V2_PARENT_I1: retransmission; will wait 1 seconds for response
Jul 12 15:12:29.832939: "private#172.16.74.0/24"[1] ...172.16.74.125 #1: STATE_V2_PARENT_I1: retransmission; will wait 2 seconds for response
Jul 12 15:12:31.834100: "private#172.16.74.0/24"[1] ...172.16.74.125 #1: STATE_V2_PARENT_I1: retransmission; will wait 4 seconds for response
Jul 12 15:12:35.835516: "private#172.16.74.0/24"[1] ...172.16.74.125 #1: STATE_V2_PARENT_I1: retransmission; will wait 8 seconds for response
Jul 12 15:12:41.857338: "private#172.16.74.0/24"[1] ...172.16.74.125 #2: initiator guessed wrong keying material group (ECP_256); responding with INVALID_KE_PAYLOAD requesting MODP2048
Jul 12 15:12:41.857381: "private#172.16.74.0/24"[1] ...172.16.74.125 #2: responding to IKE_SA_INIT message (ID 0) from 172.16.74.125:500 with unencrypted notification INVALID_KE_PAYLOAD
Jul 12 15:12:41.857393: "private#172.16.74.0/24"[1] ...172.16.74.125 #2: encountered fatal error in state STATE_V2_PARENT_R0
Jul 12 15:12:41.857427: "private#172.16.74.0/24"[1] ...172.16.74.125 #2: deleting state (STATE_V2_PARENT_R0) aged 0.000144s and NOT sending notification
Jul 12 15:12:41.863092: "private#172.16.74.0/24"[1] ...172.16.74.125 #3: processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr,N(USE_TRANSPORT_MODE)}
Jul 12 15:12:41.863204: "private#172.16.74.0/24"[1] ...172.16.74.125 #3: responder established IKE SA; authenticated peer using authby=secret and ID_IPV4_ADDR '172.16.74.125'
Jul 12 15:12:41.863367: | kernel: get_ipsec_spi() 172.16.74.125-ESP->172.16.74.128 reqid=4011 [1000,ffffffff] for SPI ...
Jul 12 15:12:41.979107: "private#172.16.74.0/24"[1] ...172.16.74.125 #4: responder established Child SA using #3; IPsec transport [172.16.74.128-172.16.74.128:0-65535 0] -> [172.16.74.125-172.16.74.125:0-65535 0] {ESP=>0xf2abf307 <0x92b79182 xfrm=AES_GCM_16_128-NONE DPD=passive}
Jul 12 15:12:43.837163: "private#172.16.74.0/24"[1] ...172.16.74.125 #1: suppressing retransmit because IKE SA was superseded #3 try=1; drop this negotiation
Jul 12 15:12:43.837201: "private#172.16.74.0/24"[1] ...172.16.74.125 #1: deleting state (STATE_V2_PARENT_I1) aged 16.00858s and NOT sending notification
Jul 12 15:14:55.826226: | xfrm_user_acquire id { daddr: xfrm_address_t spi: 0 proto: 32 saddr: struct xfrm_address_t sel: struct xfrm_selector} policy { lft { soft_add_expires_seconds=0 hard_add_expires_seconds=0 soft_use_expires_seconds=0 hard_use_expires_seconds=0} curlft { add_time=>0 use_time=0} } aalgos: 4294967295 ealgos: 4294967295 calgos: 4294967295 seq: 8
Jul 12 15:14:55.826271: | xfrm_user_tmpl { id: xfrm_id id family: 2 saddr: xfrm_address_t reqid: 0 mode: 0 share: 0 optional: 0 aalgos: 4294967295 ealgos: 4294967295 calgos: 4294967295}
Jul 12 15:14:55.826276: | xfrm_userpolicy_type { type: 0}
Jul 12 15:14:55.826293: ignoring found existing connection instance "private#172.16.74.0/24"[1] ...172.16.74.125 that covers kernel acquire with IKE state #3 and IPsec state #4 - due to duplicate acquire?
Jul 12 15:15:36.140755: | xfrm_user_acquire id { daddr: xfrm_address_t spi: 0 proto: 32 saddr: struct xfrm_address_t sel: struct xfrm_selector} policy { lft { soft_add_expires_seconds=0 hard_add_expires_seconds=0 soft_use_expires_seconds=0 hard_use_expires_seconds=0} curlft { add_time=>0 use_time=0} } aalgos: 4294967295 ealgos: 4294967295 calgos: 4294967295 seq: 9
Jul 12 15:15:36.140791: | xfrm_user_tmpl { id: xfrm_id id family: 2 saddr: xfrm_address_t reqid: 0 mode: 0 share: 0 optional: 0 aalgos: 4294967295 ealgos: 4294967295 calgos: 4294967295}
Jul 12 15:15:36.140795: | xfrm_userpolicy_type { type: 0}
Jul 12 15:15:36.140812: ignoring found existing connection instance "private#172.16.74.0/24"[1] ...172.16.74.125 that covers kernel acquire with IKE state #3 and IPsec state #4 - due to duplicate acquire?
Jul 12 15:16:19.148091: | xfrm_user_acquire id { daddr: xfrm_address_t spi: 0 proto: 32 saddr: struct xfrm_address_t sel: struct xfrm_selector} policy { lft { soft_add_expires_seconds=0 hard_add_expires_seconds=0 soft_use_expires_seconds=0 hard_use_expires_seconds=0} curlft { add_time=>0 use_time=0} } aalgos: 4294967295 ealgos: 4294967295 calgos: 4294967295 seq: 10
Jul 12 15:16:19.148142: | xfrm_user_tmpl { id: xfrm_id id family: 2 saddr: xfrm_address_t reqid: 0 mode: 0 share: 0 optional: 0 aalgos: 4294967295 ealgos: 4294967295 calgos: 4294967295}
Jul 12 15:16:19.148147: | xfrm_userpolicy_type { type: 0}
Jul 12 15:16:19.148165: ignoring found existing connection instance "private#172.16.74.0/24"[1] ...172.16.74.125 that covers kernel acquire with IKE state #3 and IPsec state #4 - due to duplicate acquire?
Jul 12 15:18:22.026634: | xfrm_user_acquire id { daddr: xfrm_address_t spi: 0 proto: 32 saddr: struct xfrm_address_t sel: struct xfrm_selector} policy { lft { soft_add_expires_seconds=0 hard_add_expires_seconds=0 soft_use_expires_seconds=0 hard_use_expires_seconds=0} curlft { add_time=>0 use_time=0} } aalgos: 4294967295 ealgos: 4294967295 calgos: 4294967295 seq: 11
Jul 12 15:18:22.026676: | xfrm_user_tmpl { id: xfrm_id id family: 2 saddr: xfrm_address_t reqid: 0 mode: 0 share: 0 optional: 0 aalgos: 4294967295 ealgos: 4294967295 calgos: 4294967295}
Jul 12 15:18:22.026680: | xfrm_userpolicy_type { type: 0}
Jul 12 15:18:22.026697: ignoring found existing connection instance "private#172.16.74.0/24"[1] ...172.16.74.125 that covers kernel acquire with IKE state #3 and IPsec state #4 - due to duplicate acquire?
Jul 12 15:20:24.905540: | xfrm_user_acquire id { daddr: xfrm_address_t spi: 0 proto: 32 saddr: struct xfrm_address_t sel: struct xfrm_selector} policy { lft { soft_add_expires_seconds=0 hard_add_expires_seconds=0 soft_use_expires_seconds=0 hard_use_expires_seconds=0} curlft { add_time=>0 use_time=0} } aalgos: 4294967295 ealgos: 4294967295 calgos: 4294967295 seq: 12
Jul 12 15:20:24.905579: | xfrm_user_tmpl { id: xfrm_id id family: 2 saddr: xfrm_address_t reqid: 0 mode: 0 share: 0 optional: 0 aalgos: 4294967295 ealgos: 4294967295 calgos: 4294967295}
Jul 12 15:20:24.905583: | xfrm_userpolicy_type { type: 0}
Jul 12 15:20:24.905601: ignoring found existing connection instance "private#172.16.74.0/24"[1] ...172.16.74.125 that covers kernel acquire with IKE state #3 and IPsec state #4 - due to duplicate acquire?
The PO & SA on server2:
PO:
src 172.16.74.125/32 dst 172.16.74.128/32
dir out priority 3129279 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16405 mode transport
src 172.16.74.128/32 dst 172.16.74.125/32
dir in priority 3129279 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16405 mode transport
SA:
src 172.16.74.128 dst 172.16.74.125
proto esp spi 0xf2abf307 reqid 16405 mode transport
replay-window 32
aead rfc4106(gcm(aes)) 0xa2b4570a3a9b7ebbf6f495a645aa2fefd1e7b7c4 128
anti-replay context: seq 0x11, oseq 0x0, bitmap 0x0001ffff
sel src 172.16.74.128/32 dst 172.16.74.125/32
src 172.16.74.125 dst 172.16.74.128
proto esp spi 0x92b79182 reqid 16405 mode transport
replay-window 32
aead rfc4106(gcm(aes)) 0x7f5a8d09d077d7c1777ae3ce8196017b810d02dd 128
anti-replay context: seq 0x0, oseq 0x30, bitmap 0x00000000
sel src 172.16.74.125/32 dst 172.16.74.128/32
The log of server2:
Jul 12 15:12:35.826495: "private#172.16.74.0/24"[1] ...172.16.74.128: local IKE proposals (IKE SA responder matching remote proposals):
Jul 12 15:12:35.826525: "private#172.16.74.0/24"[1] ...172.16.74.128: 1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192
Jul 12 15:12:35.826531: "private#172.16.74.0/24"[1] ...172.16.74.128: 2:IKE=CHACHA20_POLY1305-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192
Jul 12 15:12:35.826536: "private#172.16.74.0/24"[1] ...172.16.74.128: 3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192
Jul 12 15:12:35.826540: "private#172.16.74.0/24"[1] ...172.16.74.128: 4:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192
Jul 12 15:12:35.826544: "private#172.16.74.0/24"[1] ...172.16.74.128: 5:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192
Jul 12 15:12:35.826563: "private#172.16.74.0/24"[1] ...172.16.74.128 #1: initiator guessed wrong keying material group (MODP2048); responding with INVALID_KE_PAYLOAD requesting DH19
Jul 12 15:12:35.826571: "private#172.16.74.0/24"[1] ...172.16.74.128 #1: responding to IKE_SA_INIT message (ID 0) from 172.16.74.128:500 with unencrypted notification INVALID_KE_PAYLOAD
Jul 12 15:12:35.826586: "private#172.16.74.0/24"[1] ...172.16.74.128 #1: state transition 'Respond to IKE_SA_INIT' failed
Jul 12 15:12:35.826623: "private#172.16.74.0/24"[1] ...172.16.74.128 #1: deleting state (STATE_V2_PARENT_R0) aged 0.000156s and NOT sending notification
Jul 12 15:12:41.845559: initiate on demand by acquire from 172.16.74.125:0 to 172.16.74.128:22 proto=TCP
Jul 12 15:12:41.845630: "private#172.16.74.0/24"[2] ...172.16.74.128: local IKE proposals (IKE SA initiator selecting KE):
Jul 12 15:12:41.845639: "private#172.16.74.0/24"[2] ...172.16.74.128: 1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192
Jul 12 15:12:41.845643: "private#172.16.74.0/24"[2] ...172.16.74.128: 2:IKE=CHACHA20_POLY1305-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192
Jul 12 15:12:41.845667: "private#172.16.74.0/24"[2] ...172.16.74.128: 3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192
Jul 12 15:12:41.845673: "private#172.16.74.0/24"[2] ...172.16.74.128: 4:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192
Jul 12 15:12:41.845679: "private#172.16.74.0/24"[2] ...172.16.74.128: 5:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192
Jul 12 15:12:41.848174: "private#172.16.74.0/24"[2] ...172.16.74.128 #2: Received unauthenticated INVALID_KE_PAYLOAD response to DH DH19; resending with suggested DH MODP2048
Jul 12 15:12:41.852624: "private#172.16.74.0/24"[2] ...172.16.74.128: local ESP/AH proposals (IKE SA initiator emitting ESP/AH proposals):
Jul 12 15:12:41.852652: "private#172.16.74.0/24"[2] ...172.16.74.128: 1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-NONE-DISABLED
Jul 12 15:12:41.972491: "private#172.16.74.0/24"[2] ...172.16.74.128 #2: established IKE SA; authenticated using authby=secret and peer ID_IPV4_ADDR '172.16.74.128'
Jul 12 15:12:42.122552: "private#172.16.74.0/24"[2] ...172.16.74.128 #3: established Child SA; IPsec transport [172.16.74.125-172.16.74.125:0-65535 0] -> [172.16.74.128-172.16.74.128:0-65535 0] {ESP=>0x92b79182 <0xf2abf307 xfrm=AES_GCM_16_128-NONE NATOA=none NATD=none DPD=passive}
It can be summarized as follows:
When A and B perform IKE handshakes with each other at the same time, A will meet "suppressing retransmit because IKE SA was superseded #3 try=1; drop this negotiation ", then the SA created before is deleted, and the responding PO is also deleted. However, when deleting a PO, one more PO (the correct outbound PO related with the correct SA) is mistakenly deleted, resulting in the failure of the outgoing packet.
When I manually execute such a command to complement the PO, and it works:
ip xfrm policy add src 10.8.174.130/32 dst 10.8.174.135/32 dir out priority 2801856 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp mode transport reqid 16401
On Wed, 12 Jul 2023, Benson666 wrote:
It can be summarized as follows:
When A and B perform IKE handshakes with each other at the same time, A will meet "suppressing retransmit because IKE SA was superseded #3 try=1; drop this negotiation ", then the SA created before is deleted, and the responding PO is also deleted. However, when deleting a PO, one more PO (the correct outbound PO related with the correct SA) is mistakenly deleted, resulting in the failure of the outgoing packet.
When I manually execute such a command to complement the PO, and it works:
ip xfrm policy add src 10.8.174.130/32 dst 10.8.174.135/32 dir out priority 2801856 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp mode transport reqid 16401
Thanks for the summary. We will try to reproduce this.
PO==kernel policy; so:
- local initiated
#1/#2and simultaneously received#3/#4; the latter established - when cleaning up
#2it should realize that it no longer owns the policy; because it is OE the connection instance won't be shared so looking at newest isn't sufficient
would you have debug lines containing 'routing: ' around when this happens
Note that the policies all have ‘holes’ for UDP 500 and 4500, so xfrm policies will never prevent IKE communication.
in the above, on the first initiator, the failing outgoing and the successful incoming exchanges are assigned the same connection instance:
«suppressed message sending IKE_SA_INIT request»
"private#172.16.74.0/24"[1] ...172.16.74.125 #1: STATE_V2_PARENT_I1: retransmission; will wait 0.5 seconds for response
...
«suppressed message receiving IKE_SA_INIT request»
"private#172.16.74.0/24"[1] ...172.16.74.125 #3: processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr,N(USE_TRANSPORT_MODE)}
in the test github-1188-lost-policy they assigned to different connection instances
in the above, the failing outgoing state is deleted by a retransmit timer after the child sa establishes in the test, the failing state is deleted before the child sa is installed:
"private#192.1.2.0/24"[2] ...192.1.2.23 #2: responder established IKE SA; authenticated peer using authby=null and ID_NULL 'ID_NULL'
"private#192.1.2.0/24"[2] ...192.1.2.23 #2: did not find old ISAKMP state #0 to mark for suppressing delete
"private#192.1.2.0/24"[2] ...192.1.2.23 #2: did not find old IKE state #0 to mark for suppressing delete
"private#192.1.2.0/24"[1] ...192.1.2.23 #1: deleting IKE SA (PARENT_I1) aged 3.6319s and NOT sending notification
ERROR: "private#192.1.2.0/24"[1] ...192.1.2.23: kernel: xfrm XFRM_MSG_DELPOLICY delete response for flow (out): No such file or directory (errno 2)
"private#192.1.2.0/24"[2] ...192.1.2.23 #3: responder established Child SA using #2; IPsec tunnel [192.1.3.209-192.1.3.209:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] {ESP/ESN=>0x6bef3df0 <0x5d9f7a2a xfrm=AES_GCM_16_256-NONE DPD=passive}
@Benson666 can you an updated mainline, lets say v4.9-2129-gca09f7fe34-main?
Testing the tag you used I see:
# wait for #1 to die
road #
../../guestbin/wait-for.sh --no-match '#1:' -- ipsec showstates
road #
../../guestbin/ipsec-kernel-policy.sh
src 192.1.3.209/32 dst 192.1.2.23/32
dir out action block priority 0 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 0 mode transport
src 192.1.2.23/32 dst 192.1.3.209/32
dir fwd priority PRIORITY ptype main
tmpl src 192.1.2.23 dst 192.1.3.209
proto esp reqid REQID mode tunnel
src 192.1.2.23/32 dst 192.1.3.209/32
dir in priority PRIORITY ptype main
tmpl src 192.1.2.23 dst 192.1.3.209
proto esp reqid REQID mode tunnel
src 192.1.3.209/32 dst 192.1.2.0/24
dir out priority PRIORITY ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 0 mode transport
but with tip I see:
src 192.1.2.23/32 dst 192.1.3.209/32
dir fwd priority PRIORITY ptype main
tmpl src 192.1.2.23 dst 192.1.3.209
proto esp reqid REQID mode tunnel
src 192.1.2.23/32 dst 192.1.3.209/32
dir in priority PRIORITY ptype main
tmpl src 192.1.2.23 dst 192.1.3.209
proto esp reqid REQID mode tunnel
src 192.1.3.209/32 dst 192.1.2.23/32
dir out priority PRIORITY ptype main
tmpl src 192.1.3.209 dst 192.1.2.23
proto esp reqid REQID mode tunnel
src 192.1.3.209/32 dst 192.1.2.0/24
dir out priority PRIORITY ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 0 mode transport