1
24.1 Legacy Series / Re: How to export Certs with legacy
« on: May 21, 2024, 09:48:14 am »
Anyone?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1] 2
2
24.1 Legacy Series / How to export Certs with legacy
« on: May 16, 2024, 02:17:52 pm »
Hello,
we run OPNsense 24.1.6 and we have to manually export the User-Certs with -legacy:
In order to be able to create a Mobileconfig with a Mac and import it with iOS.
Is there a GUI workaround for this?
Would it be possible to add a legaxy p12 export button?
Its kind of related to: https://github.com/opnsense/core/issues/7251
Thanks,
Michael
we run OPNsense 24.1.6 and we have to manually export the User-Certs with -legacy:
Code: [Select]
/usr/local/bin/openssl pkcs12 -export -legacy -in user.crt -inkey user.key -out User_legacy.p12In order to be able to create a Mobileconfig with a Mac and import it with iOS.
Is there a GUI workaround for this?
Would it be possible to add a legaxy p12 export button?
Its kind of related to: https://github.com/opnsense/core/issues/7251
Thanks,
Michael
3
24.1 Legacy Series / How to IPSec Route 0.0.0.0 without breaking the CARP
« on: April 18, 2024, 12:31:02 pm »
Hello,
a customers remote site wants to have 0.0.0.0 as remote net in IPSec.
However, if we set this, the Carp Traffic will follow that route, too.
Therefore my HA-Setup breaks becaue the HA Nodes do not reach each other any more.
How do you set up IPsec with a remote net 0.0.0.0 without breaking the local Carp Address?
Thanks,
Michael
a customers remote site wants to have 0.0.0.0 as remote net in IPSec.
However, if we set this, the Carp Traffic will follow that route, too.
Therefore my HA-Setup breaks becaue the HA Nodes do not reach each other any more.
How do you set up IPsec with a remote net 0.0.0.0 without breaking the local Carp Address?
Thanks,
Michael
4
22.7 Legacy Series / IPSec Port-Forward does not work
« on: September 29, 2022, 11:08:55 am »
Hello,
i have a Site-2-Site IPsec Tunnel and would like to provide access to a internal web server via HA Proxy.
I have set up a rule now:
Interface: IPSec
DST: 192.168.150.68:443
Redirect to: 127.0.0.1:8080
On 127.0.0.1:8080 i have my HA proxy running.
The NAT Rule automatically created the matching IPSec Firewall rule.
When i look at the traffic with:
tcpdump -i enc0 -n host 192.168.150.68
it seems "stuck":
i cant see any blocks, too:
grep 192.168.150.68 /var/log/filter/latest.log | grep block
If i set up that NAT rule on another interface, it seems to work.
Any hints?
i have a Site-2-Site IPsec Tunnel and would like to provide access to a internal web server via HA Proxy.
I have set up a rule now:
Interface: IPSec
DST: 192.168.150.68:443
Redirect to: 127.0.0.1:8080
On 127.0.0.1:8080 i have my HA proxy running.
The NAT Rule automatically created the matching IPSec Firewall rule.
When i look at the traffic with:
tcpdump -i enc0 -n host 192.168.150.68
it seems "stuck":
Code: [Select]
10:58:44.631140 (authentic,confidential): SPI 0xc7352ac4: IP 172.25.11.44.50861 > 192.168.150.68.443: Flags [S], seq 2307507940, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:58:52.382705 (authentic,confidential): SPI 0xc7352ac4: IP 172.25.11.44.50860 > 192.168.150.68.443: Flags [S], seq 2952205237, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:58:52.382737 (authentic,confidential): SPI 0xc7352ac4: IP 172.25.11.44.50859 > 192.168.150.68.443: Flags [S], seq 209436792, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:58:52.648383 (authentic,confidential): SPI 0xc7352ac4: IP 172.25.11.44.50861 > 192.168.150.68.443: Flags [S], seq 2307507940, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0i cant see any blocks, too:
grep 192.168.150.68 /var/log/filter/latest.log | grep block
If i set up that NAT rule on another interface, it seems to work.
Any hints?
5
22.7 Legacy Series / Port Forwards
« on: August 19, 2022, 10:48:58 am »
Hello,
why does a port forward from WAN to DMZ work, even if i dont have that DST ip assiged to my opnsense box.
The Arp Lookup shows the DST IP i forward has the mac 0000.5e00.0108
I can not find that mac address on my opnsense box.
Is this something special?
Cheers,
Michael
why does a port forward from WAN to DMZ work, even if i dont have that DST ip assiged to my opnsense box.
The Arp Lookup shows the DST IP i forward has the mac 0000.5e00.0108
I can not find that mac address on my opnsense box.
Is this something special?
Cheers,
Michael
6
22.1 Legacy Series / MutiWAN => ASync Routing problem
« on: May 27, 2022, 01:35:04 pm »
Hello,
i have a Firewall with two ISPs.
I would like to access the firewall any time on both WAN Interfaces.
Right now WAN2 is the default route, and if i ssh to the WAN1 IP it will route back via the default GW on WAN2 like this:
How can i opnsense make reply on the interface the SYN came in from?
Cheers,
Michael
i have a Firewall with two ISPs.
I would like to access the firewall any time on both WAN Interfaces.
Right now WAN2 is the default route, and if i ssh to the WAN1 IP it will route back via the default GW on WAN2 like this:
How can i opnsense make reply on the interface the SYN came in from?
Cheers,
Michael
7
Virtual private networks / Authenticate/Decrypt packet error: bad packet ID (may be a replay)
« on: April 14, 2022, 02:33:11 pm »
Hello,
from time to time i get flooded this in my Logs:
2022-04-14T07:28:28 Error openvpn Authenticate/Decrypt packet error:
bad packet ID (may be a replay): [ #93625413 / time = (1649776931)
2022-04-12 17:22:11 ] -- see the man page entry for --no-replay and
--replay-window for more info or silence this warning with
--mute-replay-warnings
Does that mean, that at Log time "2022-04-14T07:28:28" it received a
packet with a timestamp from "2022-04-12 17:22:11"?
I already set the same time server on both hosts.
I tried optimizing it with MTU and MSSFIX but when reading the error
closely a time diff would make more sense?
Cheers,
Michael
from time to time i get flooded this in my Logs:
2022-04-14T07:28:28 Error openvpn Authenticate/Decrypt packet error:
bad packet ID (may be a replay): [ #93625413 / time = (1649776931)
2022-04-12 17:22:11 ] -- see the man page entry for --no-replay and
--replay-window for more info or silence this warning with
--mute-replay-warnings
Does that mean, that at Log time "2022-04-14T07:28:28" it received a
packet with a timestamp from "2022-04-12 17:22:11"?
I already set the same time server on both hosts.
I tried optimizing it with MTU and MSSFIX but when reading the error
closely a time diff would make more sense?
Cheers,
Michael
8
22.1 Legacy Series / OpenVPN + OTP - TLS Error: local/remote TLS keys are out of sync
« on: March 31, 2022, 09:13:09 am »
Hello,
after adding OTP to our OpenVPN Server we get errors like:
TLS Error: local/remote TLS keys are out of sync
and the VPN Stopps/Disconnects after 1h. This happens just for a few but not all users.
I already checked the Time on the OPNSense and Client system. I also set "reneg-sec 0" on the Server.
Any other ideas why OTP would cause this problem?
Cheers,
Mario
after adding OTP to our OpenVPN Server we get errors like:
TLS Error: local/remote TLS keys are out of sync
and the VPN Stopps/Disconnects after 1h. This happens just for a few but not all users.
I already checked the Time on the OPNSense and Client system. I also set "reneg-sec 0" on the Server.
Any other ideas why OTP would cause this problem?
Cheers,
Mario
9
22.1 Legacy Series / ipsec INVALID_MAJOR_VERSION
« on: March 17, 2022, 01:57:03 pm »
Hello,
since about yesterday i get those errors in my logs:
And the traffic of the tunnel seems to stop.
Any idea how i can fix that? The Remote Side has a Sophos UTM and claims not to have/see any errors.
My Last Update was done more that one day ago ( i guess last week).
Any hints on this?
I also wonder why i get two subnet tunnels here. One Installed, and one rekeying:
Cheers,
Mario
since about yesterday i get those errors in my logs:
Code: [Select]
charon 53061 - [meta sequenceId="4143"] 03[NET] received unsupported IKE version 11.9 from 212.185.79.66, sending INVALID_MAJOR_VERSION
charon 53061 - [meta sequenceId="4148"] 03[NET] received unsupported IKE version 3.5 from 212.185.79.66, sending INVALID_MAJOR_VERSION
charon 53061 - [meta sequenceId="4152"] 03[NET] received unsupported IKE version 0.13 from 212.185.79.66, sending INVALID_MAJOR_VERSION
And the traffic of the tunnel seems to stop.
Any idea how i can fix that? The Remote Side has a Sophos UTM and claims not to have/see any errors.
My Last Update was done more that one day ago ( i guess last week).
Any hints on this?
I also wonder why i get two subnet tunnels here. One Installed, and one rekeying:
Cheers,
Mario
10
21.7 Legacy Series / MutiWAN and Reset States
« on: December 01, 2021, 02:35:24 pm »
Hello,
we are using MultiWAN with 2 Uplinks with:
- Gateway switching (Allow default gateway switching => enabled)
- Kill States ( Disable State Killing on Gateway Failure => not ticked)
- Sticky Connections ( Use sticky connections => not ticked)
On top of that i run a OpenVPN Client Connection (TCP)
When i produce the active Gateway failure, the Gateway swichting jumps in, the OpenVPN Tunnel times out and the takeover is fine. It also seems to do a TCP States Reset since my SSH Tunnel/Access dies.
HOWEVER: If i switch back on the Gateway the Active Gateway switches back to the main one again, BUT the TCP States does not get killed.
The SSH Session is still active. Not states Reset seem to happen.
If i kill the ESTABLISHED connection in the "States Dump" GUI then it will start to connect via the active/correct gateway.
So wonder if:
-if i set up something wrong?
- the state reset just happens by design on the 1st failover
- the state reset function is a bug and should be triggered when jumping back to the primary interface
Thanks,
Michael
we are using MultiWAN with 2 Uplinks with:
- Gateway switching (Allow default gateway switching => enabled)
- Kill States ( Disable State Killing on Gateway Failure => not ticked)
- Sticky Connections ( Use sticky connections => not ticked)
On top of that i run a OpenVPN Client Connection (TCP)
When i produce the active Gateway failure, the Gateway swichting jumps in, the OpenVPN Tunnel times out and the takeover is fine. It also seems to do a TCP States Reset since my SSH Tunnel/Access dies.
HOWEVER: If i switch back on the Gateway the Active Gateway switches back to the main one again, BUT the TCP States does not get killed.
The SSH Session is still active. Not states Reset seem to happen.
If i kill the ESTABLISHED connection in the "States Dump" GUI then it will start to connect via the active/correct gateway.
So wonder if:
-if i set up something wrong?
- the state reset just happens by design on the 1st failover
- the state reset function is a bug and should be triggered when jumping back to the primary interface
Thanks,
Michael
12
21.7 Legacy Series / OpenVPN bridge
« on: July 28, 2021, 05:08:41 pm »
Hello,
i would like to set up a briged openvpn tunnel.
1.) I created a Bridge (LAN + OpenVPN Interface).
2.) I set the OpenVPN Tunnel to tap
3.) "Bridge Interface" is my LAN Port
However the ARP/Broadcast traffic does not seem to reach the vpn interface.
I can see it it on the LAN and Bridge though.
Any ideas why it wont slip into the tunnel?
Cheers,
Mario
i would like to set up a briged openvpn tunnel.
1.) I created a Bridge (LAN + OpenVPN Interface).
2.) I set the OpenVPN Tunnel to tap
3.) "Bridge Interface" is my LAN Port
However the ARP/Broadcast traffic does not seem to reach the vpn interface.
I can see it it on the LAN and Bridge though.
Any ideas why it wont slip into the tunnel?
Cheers,
Mario
13
21.1 Legacy Series / Re: No Logs for 503 HA-Proxy errors
« on: June 24, 2021, 09:24:35 am »
thanks fabian.
verify error:num=10:certificate has expired
notAfter=Jun 10 04:43:13 2021 GMT
But why wont it log it in the ha logs?
verify error:num=10:certificate has expired
notAfter=Jun 10 04:43:13 2021 GMT
But why wont it log it in the ha logs?
14
21.1 Legacy Series / No Logs for 503 HA-Proxy errors
« on: June 23, 2021, 04:01:26 pm »
Hello,
i use HA-Proxy and it returns a 503 Page.
I enabled " Detailed Logging " in the Public Services.
All i can see are those start logs:
2021-06-23T15:55:08 haproxy[12619] Proxy load_balancing_portal_foo_net_Port_443 started.
2021-06-23T15:55:08 haproxy[12619] Proxy portal.foo.net_ht-access_8443 started.
Why wont it log my requests/errors?
I also disabled the Service which gave me a timeout, so i guess i actually access/use/hit the HAProxy Service.
Cheers,
Michael
i use HA-Proxy and it returns a 503 Page.
I enabled " Detailed Logging " in the Public Services.
All i can see are those start logs:
2021-06-23T15:55:08 haproxy[12619] Proxy load_balancing_portal_foo_net_Port_443 started.
2021-06-23T15:55:08 haproxy[12619] Proxy portal.foo.net_ht-access_8443 started.
Why wont it log my requests/errors?
I also disabled the Service which gave me a timeout, so i guess i actually access/use/hit the HAProxy Service.
Cheers,
Michael
15
Virtual private networks / IPSec Tunnel to Cisco is unstable
« on: April 27, 2021, 08:45:11 am »
Hello,
my tunnel to a remite Site (Cisco i think) is unstable. Here is some tcpdump snippets:
22:20:48.323405 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc5), length 152
22:20:48.323421 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc6), length 152
22:20:48.323437 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc7), length 152
22:20:48.323470 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc8), length 152
22:20:48.323487 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc9), length 152
22:20:48.833110 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cca), length 104
22:20:50.682362 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4ccb), length 88
22:20:51.127368 IP RemoteSite.500 > MySite.500: isakmp: parent_sa ikev2_init
22:20:51.833354 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4ccc), length 104
22:20:53.689542 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4ccd), length 104
22:20:54.134106 IP RemoteSite.500 > MySite.500: isakmp: parent_sa ikev2_init
22:20:54.802874 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cce), length 104
22:20:56.688672 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4ccf), length 104
22:20:56.716580 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cd0), length 104
22:20:57.803060 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cd1), length 104
22:20:57.834224 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cd2), length 104
On my Site the Tunnel seems to be up, looking at the tcpdump the remote side seems to reconnect?
The Lifetimes/Timeouts match on each side.
I already changed the "Connection method" to respond only.
Here are the settings:
Here are the logs:
2021-04-26T22:22:14 charon[40039] 15[IKE] <con2|17> IKE_SA con2[17] established between MySite[MySite]...RemoteSite[RemoteSite]
2021-04-26T22:22:14 charon[40039] 15[IKE] <con2|15> destroying duplicate IKE_SA for peer 'RemoteSite', received INITIAL_CONTACT
2021-04-26T22:22:14 charon[40039] 15[IKE] <con2|17> authentication of 'MySite' (myself) with pre-shared key
2021-04-26T22:22:14 charon[40039] 15[IKE] <con2|17> authentication of 'RemoteSite' with pre-shared key successful
2021-04-26T22:22:14 charon[40039] 15[CFG] <con2|17> selected peer config 'con2'
2021-04-26T22:22:11 charon[40039] 15[NET] <con2|15> sending packet: from MySite[500] to RemoteSite[500] (80 bytes)
2021-04-26T22:22:11 charon[40039] 15[ENC] <con2|15> generating INFORMATIONAL request 0 [ D ]
2021-04-26T22:22:11 charon[40039] 15[IKE] <con2|15> sending DELETE for IKE_SA con2[15]
2021-04-26T22:22:11 charon[40039] 15[IKE] <con2|15> deleting IKE_SA con2[15] between MySite[MySite]...RemoteSite[RemoteSite]
2021-04-26T22:22:11 charon[40039] 09[CFG] received stroke: terminate 'con2'
2021-04-26T20:49:19 charon[40039] 05[NET] <con2|15> sending packet: from MySite[500] to RemoteSite[500] (240 bytes)
2021-04-26T20:49:19 charon[40039] 05[ENC] <con2|15> generating IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]
2021-04-26T20:49:19 charon[40039] 05[IKE] <con2|15> CHILD_SA con2{21} established with SPIs c0d2b134_i da1200e6_o and TS 172.18.161.0/24 === 10.228.16.0/21
2021-04-26T20:49:19 charon[40039] 05[CFG] <con2|15> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
2021-04-26T20:49:19 charon[40039] 05[IKE] <con2|15> maximum IKE_SA lifetime 86020s
2021-04-26T20:49:19 charon[40039] 05[IKE] <con2|15> scheduling reauthentication in 85480s
2021-04-26T20:49:19 charon[40039] 05[IKE] <con2|15> IKE_SA con2[15] established between MySite[MySite]...RemoteSite[RemoteSite]
2021-04-26T20:49:19 charon[40039] 05[IKE] <con2|1> destroying duplicate IKE_SA for peer 'RemoteSite', received INITIAL_CONTACT
2021-04-26T20:49:19 charon[40039] 05[IKE] <con2|15> authentication of 'MySite' (myself) with pre-shared key
2021-04-26T20:49:19 charon[40039] 05[IKE] <con2|15> authentication of 'RemoteSite' with pre-shared key successful
2021-04-26T20:49:19 charon[40039] 05[CFG] <con2|15> selected peer config 'con2'
2021-04-26T20:49:14 charon[40039] 05[NET] <con2|1> sending packet: from MySite[500] to RemoteSite[500] (496 bytes)
2021-04-26T20:49:14 charon[40039] 05[IKE] <con2|1> retransmit 1 of request with message ID 8
2021-04-26T20:49:10 charon[40039] 05[NET] <con2|1> sending packet: from MySite[500] to RemoteSite[500] (496 bytes)
2021-04-26T20:49:10 charon[40039] 05[ENC] <con2|1> generating CREATE_CHILD_SA request 8 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
2021-04-26T20:49:10 charon[40039] 05[IKE] <con2|1> establishing CHILD_SA con2{20} reqid 2
2021-04-26T19:06:37 charon[40039] 10[IKE] <con2|1> CHILD_SA closed
my tunnel to a remite Site (Cisco i think) is unstable. Here is some tcpdump snippets:
22:20:48.323405 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc5), length 152
22:20:48.323421 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc6), length 152
22:20:48.323437 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc7), length 152
22:20:48.323470 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc8), length 152
22:20:48.323487 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cc9), length 152
22:20:48.833110 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cca), length 104
22:20:50.682362 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4ccb), length 88
22:20:51.127368 IP RemoteSite.500 > MySite.500: isakmp: parent_sa ikev2_init
22:20:51.833354 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4ccc), length 104
22:20:53.689542 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4ccd), length 104
22:20:54.134106 IP RemoteSite.500 > MySite.500: isakmp: parent_sa ikev2_init
22:20:54.802874 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cce), length 104
22:20:56.688672 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4ccf), length 104
22:20:56.716580 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cd0), length 104
22:20:57.803060 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cd1), length 104
22:20:57.834224 IP MySite > RemoteSite: ESP(spi=0xda1200e6,seq=0x4cd2), length 104
On my Site the Tunnel seems to be up, looking at the tcpdump the remote side seems to reconnect?
The Lifetimes/Timeouts match on each side.
I already changed the "Connection method" to respond only.
Here are the settings:
Here are the logs:
2021-04-26T22:22:14 charon[40039] 15[IKE] <con2|17> IKE_SA con2[17] established between MySite[MySite]...RemoteSite[RemoteSite]
2021-04-26T22:22:14 charon[40039] 15[IKE] <con2|15> destroying duplicate IKE_SA for peer 'RemoteSite', received INITIAL_CONTACT
2021-04-26T22:22:14 charon[40039] 15[IKE] <con2|17> authentication of 'MySite' (myself) with pre-shared key
2021-04-26T22:22:14 charon[40039] 15[IKE] <con2|17> authentication of 'RemoteSite' with pre-shared key successful
2021-04-26T22:22:14 charon[40039] 15[CFG] <con2|17> selected peer config 'con2'
2021-04-26T22:22:11 charon[40039] 15[NET] <con2|15> sending packet: from MySite[500] to RemoteSite[500] (80 bytes)
2021-04-26T22:22:11 charon[40039] 15[ENC] <con2|15> generating INFORMATIONAL request 0 [ D ]
2021-04-26T22:22:11 charon[40039] 15[IKE] <con2|15> sending DELETE for IKE_SA con2[15]
2021-04-26T22:22:11 charon[40039] 15[IKE] <con2|15> deleting IKE_SA con2[15] between MySite[MySite]...RemoteSite[RemoteSite]
2021-04-26T22:22:11 charon[40039] 09[CFG] received stroke: terminate 'con2'
2021-04-26T20:49:19 charon[40039] 05[NET] <con2|15> sending packet: from MySite[500] to RemoteSite[500] (240 bytes)
2021-04-26T20:49:19 charon[40039] 05[ENC] <con2|15> generating IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]
2021-04-26T20:49:19 charon[40039] 05[IKE] <con2|15> CHILD_SA con2{21} established with SPIs c0d2b134_i da1200e6_o and TS 172.18.161.0/24 === 10.228.16.0/21
2021-04-26T20:49:19 charon[40039] 05[CFG] <con2|15> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
2021-04-26T20:49:19 charon[40039] 05[IKE] <con2|15> maximum IKE_SA lifetime 86020s
2021-04-26T20:49:19 charon[40039] 05[IKE] <con2|15> scheduling reauthentication in 85480s
2021-04-26T20:49:19 charon[40039] 05[IKE] <con2|15> IKE_SA con2[15] established between MySite[MySite]...RemoteSite[RemoteSite]
2021-04-26T20:49:19 charon[40039] 05[IKE] <con2|1> destroying duplicate IKE_SA for peer 'RemoteSite', received INITIAL_CONTACT
2021-04-26T20:49:19 charon[40039] 05[IKE] <con2|15> authentication of 'MySite' (myself) with pre-shared key
2021-04-26T20:49:19 charon[40039] 05[IKE] <con2|15> authentication of 'RemoteSite' with pre-shared key successful
2021-04-26T20:49:19 charon[40039] 05[CFG] <con2|15> selected peer config 'con2'
2021-04-26T20:49:14 charon[40039] 05[NET] <con2|1> sending packet: from MySite[500] to RemoteSite[500] (496 bytes)
2021-04-26T20:49:14 charon[40039] 05[IKE] <con2|1> retransmit 1 of request with message ID 8
2021-04-26T20:49:10 charon[40039] 05[NET] <con2|1> sending packet: from MySite[500] to RemoteSite[500] (496 bytes)
2021-04-26T20:49:10 charon[40039] 05[ENC] <con2|1> generating CREATE_CHILD_SA request 8 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
2021-04-26T20:49:10 charon[40039] 05[IKE] <con2|1> establishing CHILD_SA con2{20} reqid 2
2021-04-26T19:06:37 charon[40039] 10[IKE] <con2|1> CHILD_SA closed
Pages: [1] 2