@sdev Will it not create a full mesh, for example:
10.10.10.0/24 <--> 192.168.10.0/24
10.10.20.0/24 <--> 192.168.20.0/24
It will also set IPsec for 10.10.10.0/24 <--> 192.168.20.0/24 and 10.10.20.0/24 <--> 192.168.10.0/24 that may not be desired.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
All Stories
Jun 10 2021
@Viacheslav Can be similar to policy-based ipsec
# set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 Possible completions: allow-nat-networks Option to allow NAT networks allow-public-networks Option to allow public networks disable Option to disable vpn tunnel esp-group ESP group name > local Local parameters for interesting traffic protocol Protocol to encrypt > remote Remote parameters for interesting traffic
@krox2 How should looks like a configuration for many local/remote traffic selectors per one vti interface?
Already backported: ff7b2b0e62510ef8de28c9c4bfa34badeabec775
no_tag_node_value_mangle=True does not exist on VyOS 1.3, thus a backport is currently not possible. @jestabro can we backport this?
@Viacheslav This is confirmed fixed, I'm guessing it got fixed during the period between reporting it and now.
Again, the problem is not the time it takes to commit, but the time it takes to set. I will try reproducing it again and see if I can come up with an easier way. I would suggest trying adding the BGP config and prefix lists and route-maps without the export route-map applied, then commit, then try applying the export route-maps.
Should be fixed with commit https://github.com/vyos/vyos-build/commit/7905f0d5715bb8da158d09734ba78dc28b2fd4e1
I can't reproduce it, VyOS 1.3-beta-202106081558
set policy prefix-list FOO rule 10 action 'permit' set policy prefix-list FOO rule 10 prefix '0.0.0.0/0' set policy route-map FOO rule 10 action 'permit' set policy route-map FOO rule 10 match ip address prefix-list 'FOO' set policy route-map FOO rule 10 set distance '220' set policy route-map FOO rule 1000 action 'permit'
Commit with such policies:
[email protected]# time commit
FRR appears to have no problems processing this extremely quickly:
vyos@cr01b-vyos# time vtysh -c "conf t" -c "router bgp 4242420670" -c "address-family ipv4 unicast" -c "neighbor BACKBONE route-map BGP-BACKBONE-OUT out"
Jun 9 2021
Here's the complete BGP policy config, since the route-maps include prefix-lists, AS paths, and large communities:
set policy prefix-list BGP-REDISTRIBUTE rule 10 action 'deny' set policy prefix-list BGP-REDISTRIBUTE rule 10 description 'Block WDC07 peering' set policy prefix-list BGP-REDISTRIBUTE rule 10 prefix '192.168.63.0/28' set policy prefix-list BGP-REDISTRIBUTE rule 20 action 'permit' set policy prefix-list BGP-REDISTRIBUTE rule 20 description 'Allow SL WDC07' set policy prefix-list BGP-REDISTRIBUTE rule 20 ge '23' set policy prefix-list BGP-REDISTRIBUTE rule 20 prefix '192.168.48.0/20' set policy prefix-list BGP-REDISTRIBUTE rule 30 action 'permit' set policy prefix-list BGP-REDISTRIBUTE rule 30 description 'Allow SL services' set policy prefix-list BGP-REDISTRIBUTE rule 30 prefix '10.0.0.0/8' set policy prefix-list BGP-REDISTRIBUTE rule 40 action 'permit' set policy prefix-list BGP-REDISTRIBUTE rule 40 description 'Allow SL services' set policy prefix-list BGP-REDISTRIBUTE rule 40 ge '9' set policy prefix-list BGP-REDISTRIBUTE rule 40 prefix '10.0.0.0/8' set policy prefix-list BGP-BACKBONE-DAL13 rule 10 action 'permit' set policy prefix-list BGP-BACKBONE-DAL13 rule 10 description 'Allow DAL13' set policy prefix-list BGP-BACKBONE-DAL13 rule 10 ge '23' set policy prefix-list BGP-BACKBONE-DAL13 rule 10 prefix '192.168.16.0/20' set policy prefix-list BGP-BACKBONE-IN description 'Inbound backbone routes from other sites' set policy prefix-list BGP-BACKBONE-IN rule 10 action 'deny' set policy prefix-list BGP-BACKBONE-IN rule 10 description 'Block default route' set policy prefix-list BGP-BACKBONE-IN rule 10 prefix '0.0.0.0/0' set policy prefix-list BGP-BACKBONE-IN rule 20 action 'deny' set policy prefix-list BGP-BACKBONE-IN rule 20 description 'Block WDC07 primary' set policy prefix-list BGP-BACKBONE-IN rule 20 ge '21' set policy prefix-list BGP-BACKBONE-IN rule 20 prefix '192.168.48.0/20' set policy prefix-list BGP-BACKBONE-IN rule 30 action 'deny' set policy prefix-list BGP-BACKBONE-IN rule 30 description 'Block loopbacks' set policy prefix-list BGP-BACKBONE-IN rule 30 ge '25' set policy prefix-list BGP-BACKBONE-IN rule 30 prefix '192.168.253.0/24' set policy prefix-list BGP-BACKBONE-IN rule 40 action 'deny' set policy prefix-list BGP-BACKBONE-IN rule 40 description 'Block backbone peering' set policy prefix-list BGP-BACKBONE-IN rule 40 ge '25' set policy prefix-list BGP-BACKBONE-IN rule 40 prefix '192.168.254.0/24' set policy prefix-list BGP-BACKBONE-IN rule 999 action 'permit' set policy prefix-list BGP-BACKBONE-IN rule 999 description 'Allow everything else' set policy prefix-list BGP-BACKBONE-IN rule 999 ge '1' set policy prefix-list BGP-BACKBONE-IN rule 999 prefix '0.0.0.0/0' set policy prefix-list BGP-BACKBONE-INT rule 10 action 'permit' set policy prefix-list BGP-BACKBONE-INT rule 10 description 'Allow int' set policy prefix-list BGP-BACKBONE-INT rule 10 ge '23' set policy prefix-list BGP-BACKBONE-INT rule 10 prefix '192.168.0.0/20' set policy prefix-list6 BGP-BACKBONE-DAL13-V6 rule 10 action 'permit' set policy prefix-list6 BGP-BACKBONE-DAL13-V6 rule 10 description 'Allow DAL13' set policy prefix-list6 BGP-BACKBONE-DAL13-V6 rule 10 ge '64' set policy prefix-list6 BGP-BACKBONE-DAL13-V6 rule 10 prefix 'fd52:d62e:8011:1000::/52' set policy prefix-list6 BGP-BACKBONE-IN-V6 description 'Inbound backbone routes from other sites' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 10 action 'deny' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 10 description 'Block default route' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 10 prefix '::/0' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 20 action 'deny' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 20 description 'Block WDC07 primary' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 20 ge '53' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 20 prefix 'fd52:d62e:8011:2000::/52' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 30 action 'deny' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 30 description 'Block peering and stuff' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 30 ge '53' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 30 prefix 'fd52:d62e:8011:f000::/52' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 999 action 'permit' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 999 description 'Allow everything else' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 999 ge '1' set policy prefix-list6 BGP-BACKBONE-IN-V6 rule 999 prefix '::/0' set policy prefix-list6 BGP-BACKBONE-INT-V6 rule 10 action 'permit' set policy prefix-list6 BGP-BACKBONE-INT-V6 rule 10 description 'Allow int' set policy prefix-list6 BGP-BACKBONE-INT-V6 rule 10 ge '64' set policy prefix-list6 BGP-BACKBONE-INT-V6 rule 10 prefix 'fd52:d62e:8011::/52' set policy prefix-list6 BGP-REDISTRIBUTE-V6 rule 10 action 'deny' set policy prefix-list6 BGP-REDISTRIBUTE-V6 rule 10 description 'Block WDC07 peering' set policy prefix-list6 BGP-REDISTRIBUTE-V6 rule 10 prefix 'fd52:d62e:8011:23e3::/64' set policy prefix-list6 BGP-REDISTRIBUTE-V6 rule 20 action 'permit' set policy prefix-list6 BGP-REDISTRIBUTE-V6 rule 20 description 'Allow WDC07' set policy prefix-list6 BGP-REDISTRIBUTE-V6 rule 20 ge '64' set policy prefix-list6 BGP-REDISTRIBUTE-V6 rule 20 prefix 'fd52:d62e:8011:2000::/52' set policy route-map BGP-REDISTRIBUTE rule 10 action 'permit' set policy route-map BGP-REDISTRIBUTE rule 10 description 'Allow WDC07 and services IPv4' set policy route-map BGP-REDISTRIBUTE rule 10 match ip address prefix-list 'BGP-REDISTRIBUTE' set policy route-map BGP-REDISTRIBUTE rule 10 set origin 'igp' set policy route-map BGP-REDISTRIBUTE rule 20 action 'permit' set policy route-map BGP-REDISTRIBUTE rule 20 description 'Allow WDC07 and services IPv6' set policy route-map BGP-REDISTRIBUTE rule 20 match ipv6 address prefix-list 'BGP-REDISTRIBUTE-V6' set policy route-map BGP-REDISTRIBUTE rule 20 set origin 'igp' set policy route-map BGP-BACKBONE-IN rule 10 action 'permit' set policy route-map BGP-BACKBONE-IN rule 10 match ip address prefix-list 'BGP-BACKBONE-IN' set policy route-map BGP-BACKBONE-IN rule 20 action 'permit' set policy route-map BGP-BACKBONE-IN rule 20 match ipv6 address prefix-list 'BGP-BACKBONE-IN-V6' set policy route-map BGP-BACKBONE-IN rule 30 action 'permit' set policy route-map BGP-BACKBONE-IN rule 30 match large-community large-community-list 'ANYCAST_ALL' set policy route-map BGP-BACKBONE-OUT rule 10 action 'permit' set policy route-map BGP-BACKBONE-OUT rule 10 match large-community large-community-list 'ANYCAST_WDC07' set policy route-map BGP-BACKBONE-OUT rule 10 set metric '+100' set policy route-map BGP-BACKBONE-OUT rule 20 action 'permit' set policy route-map BGP-BACKBONE-OUT rule 20 match as-path 'INT' set policy route-map BGP-BACKBONE-OUT rule 20 match ip address prefix-list 'BGP-BACKBONE-INT' set policy route-map BGP-BACKBONE-OUT rule 20 set metric '+100' set policy route-map BGP-BACKBONE-OUT rule 30 action 'permit' set policy route-map BGP-BACKBONE-OUT rule 30 match as-path 'INT' set policy route-map BGP-BACKBONE-OUT rule 30 match ipv6 address prefix-list 'BGP-BACKBONE-INT-V6' set policy route-map BGP-BACKBONE-OUT rule 30 set metric '+100' set policy route-map BGP-BACKBONE-OUT rule 40 action 'permit' set policy route-map BGP-BACKBONE-OUT rule 40 match as-path 'DAL13' set policy route-map BGP-BACKBONE-OUT rule 40 match ip address prefix-list 'BGP-BACKBONE-DAL13' set policy route-map BGP-BACKBONE-OUT rule 40 set metric '+100' set policy route-map BGP-BACKBONE-OUT rule 50 action 'permit' set policy route-map BGP-BACKBONE-OUT rule 50 match as-path 'DAL13' set policy route-map BGP-BACKBONE-OUT rule 50 match ipv6 address prefix-list 'BGP-BACKBONE-DAL13-V6' set policy route-map BGP-BACKBONE-OUT rule 50 set metric '+100' set policy route-map BGP-BACKBONE-OUT rule 999 action 'permit' set policy route-map BGP-BACKBONE-OUT rule 999 call 'BGP-REDISTRIBUTE' set policy route-map BGP-BACKBONE-OUT rule 999 description 'Allow redistributed routes' set policy as-path-list DAL13 rule 10 action 'permit' set policy as-path-list DAL13 rule 10 description 'Alow anything from or via DAL13' set policy as-path-list DAL13 rule 10 regex '.*4242420668.*' set policy as-path-list INT rule 10 action 'permit' set policy as-path-list INT rule 10 description 'Allow anything from or via int' set policy as-path-list INT rule 10 regex '.*4242420666.*' set policy large-community-list ANYCAST_ALL rule 10 action 'permit' set policy large-community-list ANYCAST_ALL rule 10 description 'Allow all anycast from anywhere' set policy large-community-list ANYCAST_ALL rule 10 regex '4242420696:100:.*' set policy large-community-list ANYCAST_WDC07 rule 10 action 'permit' set policy large-community-list ANYCAST_WDC07 rule 10 description 'Allow all anycast from wdc07' set policy large-community-list ANYCAST_WDC07 rule 10 regex '4242420696:100:3'
@n.fort You can try to replace True with False there (1.3 and 1.4). But it needs more tests. In some cases, it was some bugs with the DHCP server and not the primary address.
https://github.com/vyos/vyos-1x/blob/5d068442cf7b1863724c83168176ce2940a023fe/src/conf_mode/dhcp_server.py#L237
It may be problem with large prefix-lists T2425
I'm wondering if perhaps it's my prefix lists or route-maps maybe? I can upload those in a bit once I test how fast / slow it is in frr.
Try to check the same directly in the FRR.
VyOS 1.3-beta-202106081558
Works as expected.
Jun 9 19:57:38 r4-1 charon: 13[CFG] no IKE_SA named 'peer-192.0.2.2-tunnel-0' found Jun 9 19:57:38 r4-1 charon: 14[CFG] received stroke: initiate 'peer-192.0.2.2-tunnel-0' Jun 9 19:57:38 r4-1 charon: 06[IKE] <peer-192.0.2.2-tunnel-0|4> initiating Main Mode IKE_SA peer-192.0.2.2-tunnel-0[4] to 192.0.2.2 Jun 9 19:57:38 r4-1 charon: 06[ENC] <peer-192.0.2.2-tunnel-0|4> generating ID_PROT request 0 [ SA V V V V V ] Jun 9 19:57:38 r4-1 charon: 06[NET] <peer-192.0.2.2-tunnel-0|4> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (180 bytes) Jun 9 19:57:38 r4-1 charon: 07[NET] <peer-192.0.2.2-tunnel-0|4> received packet: from 192.0.2.2[500] to 192.0.2.1[500] (160 bytes) Jun 9 19:57:38 r4-1 charon: 07[ENC] <peer-192.0.2.2-tunnel-0|4> parsed ID_PROT response 0 [ SA V V V V ] Jun 9 19:57:38 r4-1 charon: 07[IKE] <peer-192.0.2.2-tunnel-0|4> received XAuth vendor ID Jun 9 19:57:38 r4-1 charon: 07[IKE] <peer-192.0.2.2-tunnel-0|4> received DPD vendor ID Jun 9 19:57:38 r4-1 charon: 07[IKE] <peer-192.0.2.2-tunnel-0|4> received FRAGMENTATION vendor ID Jun 9 19:57:38 r4-1 charon: 07[IKE] <peer-192.0.2.2-tunnel-0|4> received NAT-T (RFC 3947) vendor ID Jun 9 19:57:38 r4-1 charon: 07[CFG] <peer-192.0.2.2-tunnel-0|4> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Jun 9 19:57:38 r4-1 charon: 07[ENC] <peer-192.0.2.2-tunnel-0|4> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Jun 9 19:57:38 r4-1 charon: 07[NET] <peer-192.0.2.2-tunnel-0|4> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (244 bytes) Jun 9 19:57:38 r4-1 charon: 05[NET] <peer-192.0.2.2-tunnel-0|4> received packet: from 192.0.2.2[500] to 192.0.2.1[500] (244 bytes) Jun 9 19:57:38 r4-1 charon: 05[ENC] <peer-192.0.2.2-tunnel-0|4> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] Jun 9 19:57:38 r4-1 charon: 05[ENC] <peer-192.0.2.2-tunnel-0|4> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Jun 9 19:57:38 r4-1 charon: 05[NET] <peer-192.0.2.2-tunnel-0|4> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (108 bytes) Jun 9 19:57:38 r4-1 charon: 08[NET] <peer-192.0.2.2-tunnel-0|4> received packet: from 192.0.2.2[500] to 192.0.2.1[500] (76 bytes) Jun 9 19:57:38 r4-1 charon: 08[ENC] <peer-192.0.2.2-tunnel-0|4> parsed ID_PROT response 0 [ ID HASH ] Jun 9 19:57:38 r4-1 charon: 08[IKE] <peer-192.0.2.2-tunnel-0|4> IKE_SA peer-192.0.2.2-tunnel-0[4] established between 192.0.2.1[192.0.2.1]...192.0.2.2[192.0.2.2] Jun 9 19:57:38 r4-1 charon: 08[IKE] <peer-192.0.2.2-tunnel-0|4> scheduling reauthentication in 2524s Jun 9 19:57:38 r4-1 charon: 08[IKE] <peer-192.0.2.2-tunnel-0|4> maximum IKE_SA lifetime 3064s Jun 9 19:57:38 r4-1 charon: 08[ENC] <peer-192.0.2.2-tunnel-0|4> generating QUICK_MODE request 364019988 [ HASH SA No KE ID ID ] Jun 9 19:57:38 r4-1 charon: 08[NET] <peer-192.0.2.2-tunnel-0|4> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (316 bytes) Jun 9 19:57:38 r4-1 charon: 09[NET] <peer-192.0.2.2-tunnel-0|4> received packet: from 192.0.2.2[500] to 192.0.2.1[500] (316 bytes) Jun 9 19:57:38 r4-1 charon: 09[ENC] <peer-192.0.2.2-tunnel-0|4> parsed QUICK_MODE response 364019988 [ HASH SA No KE ID ID ] Jun 9 19:57:38 r4-1 charon: 09[CFG] <peer-192.0.2.2-tunnel-0|4> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Jun 9 19:57:38 r4-1 charon: 09[IKE] <peer-192.0.2.2-tunnel-0|4> CHILD_SA peer-192.0.2.2-tunnel-0{1} established with SPIs cb0aa83a_i c728156c_o and TS 10.1.0.0/24 === 10.2.3.0/24 Jun 9 19:57:38 r4-1 charon: 09[ENC] <peer-192.0.2.2-tunnel-0|4> generating QUICK_MODE request 364019988 [ HASH ] Jun 9 19:57:38 r4-1 charon: 09[NET] <peer-192.0.2.2-tunnel-0|4> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (60 bytes) [email protected]:~$
Ok it already fixed in 1.3 T2916 and can be migrated to crux
@erkin One additional detail: there is an attempt at clean up on entering configuration mode (in UnionfsCstore::setupSession); nonetheless, there are clearly potential (and potentially serious) issues here. Cf. T3054 for the comment on setupSession; there has been no serious investigation of the issue yet.
In T2855#95665, @Viacheslav wrote:I can't reproduce it in 1.2.7
Jun 8 2021
This is resolved for 1.4. Do you still have this problem in 1.3 as of RC4? If so, I'll need to backport the changes.
It seems Arp monitor not supported in 802.3ad mode
I've tested with replacing deb source from http://archive.repo.saltstack.com to https://archive.repo.saltproject.io in vyos-build/data/defaults.json
It is redirected from
http://archive.repo.saltstack.com/apt/debian/8/amd64/2017.7
to
https://archive.repo.saltproject.io/apt/debian/8/amd64/2017.7
I create PR to add this new feature with the syntax to vyos-cli and frr commnads ,
Jun 7 2021
PR https://github.com/vyos/vyos-build/pull/169
Jun 8 00:59:20 r1-roll ipsec_starter[2373]: charon (2374) started after 400 ms Jun 8 00:59:20 r1-roll charon: 05[CFG] received stroke: add connection 'peer-192.0.2.2-tunnel-0' Jun 8 00:59:20 r1-roll charon: 05[CFG] added configuration 'peer-192.0.2.2-tunnel-0' Jun 8 00:59:20 r1-roll charon: 07[CFG] received stroke: initiate 'peer-192.0.2.2-tunnel-0' Jun 8 00:59:20 r1-roll charon: 07[IKE] <peer-192.0.2.2-tunnel-0|1> initiating Main Mode IKE_SA peer-192.0.2.2-tunnel-0[1] to 192.0.2.2 Jun 8 00:59:20 r1-roll charon: 07[ENC] <peer-192.0.2.2-tunnel-0|1> generating ID_PROT request 0 [ SA V V V V V ] Jun 8 00:59:20 r1-roll charon: 07[NET] <peer-192.0.2.2-tunnel-0|1> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (180 bytes) Jun 8 00:59:20 r1-roll charon: 09[NET] <peer-192.0.2.2-tunnel-0|1> received packet: from 192.0.2.2[500] to 192.0.2.1[500] (160 bytes) Jun 8 00:59:20 r1-roll charon: 09[ENC] <peer-192.0.2.2-tunnel-0|1> parsed ID_PROT response 0 [ SA V V V V ] Jun 8 00:59:20 r1-roll charon: 09[IKE] <peer-192.0.2.2-tunnel-0|1> received XAuth vendor ID Jun 8 00:59:20 r1-roll charon: 09[IKE] <peer-192.0.2.2-tunnel-0|1> received DPD vendor ID Jun 8 00:59:20 r1-roll charon: 09[IKE] <peer-192.0.2.2-tunnel-0|1> received FRAGMENTATION vendor ID Jun 8 00:59:20 r1-roll charon: 09[IKE] <peer-192.0.2.2-tunnel-0|1> received NAT-T (RFC 3947) vendor ID Jun 8 00:59:20 r1-roll charon: 09[CFG] <peer-192.0.2.2-tunnel-0|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Jun 8 00:59:20 r1-roll charon: 09[ENC] <peer-192.0.2.2-tunnel-0|1> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Jun 8 00:59:20 r1-roll charon: 09[NET] <peer-192.0.2.2-tunnel-0|1> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (244 bytes) Jun 8 00:59:20 r1-roll charon: 10[NET] <peer-192.0.2.2-tunnel-0|1> received packet: from 192.0.2.2[500] to 192.0.2.1[500] (244 bytes) Jun 8 00:59:20 r1-roll charon: 10[ENC] <peer-192.0.2.2-tunnel-0|1> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] Jun 8 00:59:20 r1-roll charon: 10[ENC] <peer-192.0.2.2-tunnel-0|1> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Jun 8 00:59:20 r1-roll charon: 10[NET] <peer-192.0.2.2-tunnel-0|1> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (108 bytes) Jun 8 00:59:20 r1-roll charon: 11[NET] <peer-192.0.2.2-tunnel-0|1> received packet: from 192.0.2.2[500] to 192.0.2.1[500] (76 bytes) Jun 8 00:59:20 r1-roll charon: 11[ENC] <peer-192.0.2.2-tunnel-0|1> parsed ID_PROT response 0 [ ID HASH ] Jun 8 00:59:20 r1-roll charon: 11[IKE] <peer-192.0.2.2-tunnel-0|1> IKE_SA peer-192.0.2.2-tunnel-0[1] established between 192.0.2.1[192.0.2.1]...192.0.2.2[192.0.2.2] Jun 8 00:59:20 r1-roll charon: 11[IKE] <peer-192.0.2.2-tunnel-0|1> scheduling rekeying in 2720s Jun 8 00:59:20 r1-roll charon: 11[IKE] <peer-192.0.2.2-tunnel-0|1> maximum IKE_SA lifetime 3260s Jun 8 00:59:20 r1-roll charon: 11[ENC] <peer-192.0.2.2-tunnel-0|1> generating QUICK_MODE request 3783917425 [ HASH SA No KE ID ID ] Jun 8 00:59:20 r1-roll charon: 11[NET] <peer-192.0.2.2-tunnel-0|1> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (316 bytes) Jun 8 00:59:20 r1-roll charon: 12[NET] <peer-192.0.2.2-tunnel-0|1> received packet: from 192.0.2.2[500] to 192.0.2.1[500] (316 bytes) Jun 8 00:59:20 r1-roll charon: 12[ENC] <peer-192.0.2.2-tunnel-0|1> parsed QUICK_MODE response 3783917425 [ HASH SA No KE ID ID ] Jun 8 00:59:20 r1-roll charon: 12[CFG] <peer-192.0.2.2-tunnel-0|1> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Jun 8 00:59:20 r1-roll charon: 12[IKE] <peer-192.0.2.2-tunnel-0|1> CHILD_SA peer-192.0.2.2-tunnel-0{1} established with SPIs c4d940b7_i c9a69e83_o and TS 10.1.0.0/24 === 10.2.3.0/24 Jun 8 00:59:20 r1-roll charon: 12[ENC] <peer-192.0.2.2-tunnel-0|1> generating QUICK_MODE request 3783917425 [ HASH ] Jun 8 00:59:20 r1-roll charon: 12[NET] <peer-192.0.2.2-tunnel-0|1> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (60 bytes)