Project

General

Profile

Actions

Feature #14483

open

Conditionally reconfigure IPsec VTI interfaces only when necessary while applying IPsec changes

Added by Mike Moore 9 months ago. Updated 6 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
24.07
Release Notes:
Default

Description

I have at this time 4x IPsec VTI tunnels running eBGP.
When any change is made to any VPN tunnel (changes to the VTI address or a Phase 1 parameter change, etc) it forces all BGP peers to flap.
I assume this is the charon service restarting[havent validated that yet] but I have never seen this behavior on any other platform. Changes to a VPN configuration for a single peer shouldn't drop all routing for all peers.


Files

oci tunnel config.png (105 KB) oci tunnel config.png P1 and P2 configuration Mike Moore, 06/18/2023 12:24 AM
ipsec logs.png (297 KB) ipsec logs.png ipsec logs Mike Moore, 06/18/2023 12:26 AM
routing logs.png (391 KB) routing logs.png Mike Moore, 06/18/2023 12:35 AM
ping drops.png (56.7 KB) ping drops.png icmp drops through the tunnel Mike Moore, 06/18/2023 12:38 AM

Related issues

Has duplicate Bug #15285: Adding interfaces breaks FRR routing over IPsecDuplicate

Actions
Actions #1

Updated by Alhusein Zawi 9 months ago

please provide more details about the tunnel's configurations.

Actions #2

Updated by Mike Moore 9 months ago

This is to OCI - Oracle Cloud Infrastructure.
To add to the notes, even updating the description bounces eBGP neighbors as I just found at at 8:24pm Eastern - logs attached

Actions #3

Updated by Mike Moore 9 months ago

Routing logs

Actions #4

Updated by Mike Moore 9 months ago

Extended ping from Windows client through the IPsec tunnel to the OCI compute instance. Notice the drop in pings. That is when routing flaps.

Actions #5

Updated by Mike Moore 9 months ago

Although not a true apples to apples comparison, I do have another FreeBSD firewall running ( *sense) and ran the same test on that unit. Changed VTI description. No pings lost. I do not know if this issue was there on past version of pfsense+ or maybe it was but never noticed due to the non-production nature of the tunnels at the time.

Actions #6

Updated by Mike Moore 9 months ago

I have made a VTI description change. Logs from the ipsec.log file..

Jun 17 21:48:15 GAFW charon5702: 14[KNL] <con3|431> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found
Jun 17 21:48:15 GAFW charon5702: 14[IKE] <con3|431> sending DPD request
Jun 17 21:48:15 GAFW charon5702: 14[IKE] <con3|431> queueing IKE_DPD task
Jun 17 21:48:15 GAFW charon5702: 14[IKE] <con3|431> activating new tasks
Jun 17 21:48:15 GAFW charon5702: 14[IKE] <con3|431> activating IKE_DPD task
Jun 17 21:48:15 GAFW charon5702: 14[ENC] <con3|431> generating INFORMATIONAL request 485 [ ]
Jun 17 21:48:15 GAFW charon5702: 14[NET] <con3|431> sending packet: from 162.193.210.96500 to 193.122.161.56500 (88 bytes)
Jun 17 21:48:15 GAFW charon5702: 09[NET] <con3|431> received packet: from 193.122.161.56500 to 162.193.210.96500 (88 bytes)
Jun 17 21:48:15 GAFW charon5702: 09[ENC] <con3|431> parsed INFORMATIONAL response 485 [ ]
Jun 17 21:48:15 GAFW charon5702: 09[IKE] <con3|431> activating new tasks
Jun 17 21:48:15 GAFW charon5702: 09[IKE] <con3|431> nothing to initiate
Jun 17 21:48:16 GAFW charon5702: 08[KNL] <con1|435> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found
Jun 17 21:48:16 GAFW charon5702: 08[IKE] <con1|435> sending DPD request
Jun 17 21:48:16 GAFW charon5702: 08[IKE] <con1|435> queueing IKE_DPD task
Jun 17 21:48:16 GAFW charon5702: 08[IKE] <con1|435> activating new tasks
Jun 17 21:48:16 GAFW charon5702: 08[IKE] <con1|435> activating IKE_DPD task
Jun 17 21:48:16 GAFW charon5702: 08[ENC] <con1|435> generating INFORMATIONAL request 2 [ ]
Jun 17 21:48:16 GAFW charon5702: 08[NET] <con1|435> sending packet: from 162.193.210.964500 to 69.117.27.1204500 (57 bytes)
Jun 17 21:48:16 GAFW charon5702: 08[KNL] <con2|434> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found
Jun 17 21:48:16 GAFW charon5702: 08[IKE] <con2|434> sending DPD request
Jun 17 21:48:16 GAFW charon5702: 08[IKE] <con2|434> queueing IKE_DPD task
Jun 17 21:48:16 GAFW charon5702: 08[IKE] <con2|434> activating new tasks
Jun 17 21:48:16 GAFW charon5702: 08[IKE] <con2|434> activating IKE_DPD task
Jun 17 21:48:16 GAFW charon5702: 08[ENC] <con2|434> generating INFORMATIONAL request 82 [ ]
Jun 17 21:48:16 GAFW charon5702: 08[NET] <con2|434> sending packet: from 162.193.210.964500 to 71.131.58.254500 (57 bytes)
Jun 17 21:48:16 GAFW charon5702: 10[NET] <con1|435> received packet: from 69.117.27.1204500 to 162.193.210.964500 (57 bytes)
Jun 17 21:48:16 GAFW charon5702: 10[ENC] <con1|435> parsed INFORMATIONAL response 2 [ ]
Jun 17 21:48:16 GAFW charon5702: 10[IKE] <con1|435> activating new tasks
Jun 17 21:48:16 GAFW charon5702: 10[IKE] <con1|435> nothing to initiate
Jun 17 21:48:16 GAFW charon5702: 10[NET] <con2|434> received packet: from 71.131.58.254500 to 162.193.210.964500 (57 bytes)
Jun 17 21:48:16 GAFW charon5702: 10[ENC] <con2|434> parsed INFORMATIONAL response 82 [ ]
Jun 17 21:48:16 GAFW charon5702: 10[IKE] <con2|434> activating new tasks
Jun 17 21:48:16 GAFW charon5702: 10[IKE] <con2|434> nothing to initiate
Jun 17 21:48:16 GAFW charon5702: 10[KNL] <con4|433> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found
Jun 17 21:48:16 GAFW charon5702: 10[IKE] <con4|433> sending DPD request
Jun 17 21:48:16 GAFW charon5702: 10[IKE] <con4|433> queueing IKE_DPD task
Jun 17 21:48:16 GAFW charon5702: 10[IKE] <con4|433> activating new tasks
Jun 17 21:48:16 GAFW charon5702: 10[IKE] <con4|433> activating IKE_DPD task
Jun 17 21:48:16 GAFW charon5702: 10[ENC] <con4|433> generating INFORMATIONAL request 465 [ ]
Jun 17 21:48:16 GAFW charon5702: 10[NET] <con4|433> sending packet: from 162.193.210.96500 to 193.122.174.109500 (88 bytes)
Jun 17 21:48:16 GAFW charon5702: 10[NET] <con4|433> received packet: from 193.122.174.109500 to 162.193.210.96500 (88 bytes)
Jun 17 21:48:16 GAFW charon5702: 10[ENC] <con4|433> parsed INFORMATIONAL response 465 [ ]
Jun 17 21:48:16 GAFW charon5702: 10[IKE] <con4|433> activating new tasks
Jun 17 21:48:16 GAFW charon5702: 10[IKE] <con4|433> nothing to initiate
Jun 17 21:48:25 GAFW charon5702: 01[KNL] <con3|431> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found
Jun 17 21:48:25 GAFW charon5702: 01[IKE] <con3|431> sending DPD request
Jun 17 21:48:25 GAFW charon5702: 01[IKE] <con3|431> queueing IKE_DPD task
Jun 17 21:48:25 GAFW charon5702: 01[IKE] <con3|431> activating new tasks
Jun 17 21:48:25 GAFW charon5702: 01[IKE] <con3|431> activating IKE_DPD task
Jun 17 21:48:25 GAFW charon5702: 01[ENC] <con3|431> generating INFORMATIONAL request 486 [ ]
Jun 17 21:48:25 GAFW charon5702: 01[NET] <con3|431> sending packet: from 162.193.210.96500 to 193.122.161.56500 (88 bytes)
Jun 17 21:48:25 GAFW charon5702: 01[NET] <con3|431> received packet: from 193.122.161.56500 to 162.193.210.96500 (88 bytes)
Jun 17 21:48:25 GAFW charon5702: 01[ENC] <con3|431> parsed INFORMATIONAL response 486 [ ]
Jun 17 21:48:25 GAFW charon5702: 01[IKE] <con3|431> activating new tasks
Jun 17 21:48:25 GAFW charon5702: 01[IKE] <con3|431> nothing to initiate
Jun 17 21:48:26 GAFW charon5702: 06[KNL] <con1|435> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found
Jun 17 21:48:26 GAFW charon5702: 06[IKE] <con1|435> sending DPD request
Jun 17 21:48:26 GAFW charon5702: 06[IKE] <con1|435> queueing IKE_DPD task
Jun 17 21:48:26 GAFW charon5702: 06[IKE] <con1|435> activating new tasks
Jun 17 21:48:26 GAFW charon5702: 06[IKE] <con1|435> activating IKE_DPD task
Jun 17 21:48:26 GAFW charon5702: 06[ENC] <con1|435> generating INFORMATIONAL request 3 [ ]
Jun 17 21:48:26 GAFW charon5702: 06[NET] <con1|435> sending packet: from 162.193.210.964500 to 69.117.27.1204500 (57 bytes)
Jun 17 21:48:26 GAFW charon5702: 06[KNL] <con2|434> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found
Jun 17 21:48:26 GAFW charon5702: 06[IKE] <con2|434> sending DPD request
Jun 17 21:48:26 GAFW charon5702: 06[IKE] <con2|434> queueing IKE_DPD task
Jun 17 21:48:26 GAFW charon5702: 06[IKE] <con2|434> activating new tasks
Jun 17 21:48:26 GAFW charon5702: 06[IKE] <con2|434> activating IKE_DPD task
Jun 17 21:48:26 GAFW charon5702: 06[ENC] <con2|434> generating INFORMATIONAL request 83 [ ]
Jun 17 21:48:26 GAFW charon5702: 06[NET] <con2|434> sending packet: from 162.193.210.964500 to 71.131.58.254500 (57 bytes)
Jun 17 21:48:26 GAFW charon5702: 06[NET] <con1|435> received packet: from 69.117.27.1204500 to 162.193.210.964500 (57 bytes)
Jun 17 21:48:26 GAFW charon5702: 06[ENC] <con1|435> parsed INFORMATIONAL response 3 [ ]
Jun 17 21:48:26 GAFW charon5702: 06[IKE] <con1|435> activating new tasks
Jun 17 21:48:26 GAFW charon5702: 06[IKE] <con1|435> nothing to initiate
Jun 17 21:48:26 GAFW charon5702: 06[NET] <con2|434> received packet: from 71.131.58.254500 to 162.193.210.964500 (57 bytes)
Jun 17 21:48:26 GAFW charon5702: 06[ENC] <con2|434> parsed INFORMATIONAL response 83 [ ]
Jun 17 21:48:26 GAFW charon5702: 06[IKE] <con2|434> activating new tasks
Jun 17 21:48:26 GAFW charon5702: 06[IKE] <con2|434> nothing to initiate
Jun 17 21:48:26 GAFW charon5702: 13[KNL] <con4|433> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found
Jun 17 21:48:26 GAFW charon5702: 13[IKE] <con4|433> sending DPD request
Jun 17 21:48:26 GAFW charon5702: 13[IKE] <con4|433> queueing IKE_DPD task
Jun 17 21:48:26 GAFW charon5702: 13[IKE] <con4|433> activating new tasks
Jun 17 21:48:26 GAFW charon5702: 13[IKE] <con4|433> activating IKE_DPD task
Jun 17 21:48:26 GAFW charon5702: 13[ENC] <con4|433> generating INFORMATIONAL request 466 [ ]
Jun 17 21:48:26 GAFW charon5702: 13[NET] <con4|433> sending packet: from 162.193.210.96500 to 193.122.174.109500 (88 bytes)
Jun 17 21:48:26 GAFW charon5702: 13[NET] <con4|433> received packet: from 193.122.174.109500 to 162.193.210.96500 (88 bytes)
Jun 17 21:48:26 GAFW charon5702: 13[ENC] <con4|433> parsed INFORMATIONAL response 466 [ ]
Jun 17 21:48:26 GAFW charon5702: 13[IKE] <con4|433> activating new tasks
Jun 17 21:48:26 GAFW charon5702: 13[IKE] <con4|433> nothing to initiate
Jun 17 21:48:29 GAFW charon5702: 12[KNL] 10.6.106.1 disappeared from ipsec1
Jun 17 21:48:29 GAFW charon5702: 11[KNL] interface ipsec1 deactivated
Jun 17 21:48:29 GAFW charon5702: 11[KNL] interface ipsec1 disappeared
Jun 17 21:48:29 GAFW charon5702: 11[KNL] interface ipsec1 appeared
Jun 17 21:48:29 GAFW charon5702: 11[KNL] 10.6.106.1 appeared on ipsec1
Jun 17 21:48:29 GAFW charon5702: 09[IKE] <con1|435> keeping statically configured path 162.193.210.96 - 69.117.27.120
Jun 17 21:48:29 GAFW charon5702: 09[IKE] <con4|433> keeping statically configured path 162.193.210.96 - 193.122.174.109
Jun 17 21:48:29 GAFW charon5702: 09[IKE] <con2|434> keeping statically configured path 162.193.210.96 - 71.131.58.25
Jun 17 21:48:29 GAFW charon5702: 09[IKE] <con3|431> keeping statically configured path 162.193.210.96 - 193.122.161.56
Jun 17 21:48:30 GAFW charon5702: 08[KNL] 172.28.0.6 disappeared from ipsec2
Jun 17 21:48:30 GAFW charon5702: 08[KNL] interface ipsec2 deactivated
Jun 17 21:48:30 GAFW charon5702: 10[KNL] interface ipsec2 disappeared
Jun 17 21:48:30 GAFW charon5702: 10[KNL] interface ipsec2 appeared
Jun 17 21:48:30 GAFW charon5702: 15[KNL] 172.28.0.6 appeared on ipsec2
Jun 17 21:48:30 GAFW charon5702: 01[IKE] <con1|435> keeping statically configured path 162.193.210.96 - 69.117.27.120
Jun 17 21:48:30 GAFW charon5702: 01[IKE] <con4|433> keeping statically configured path 162.193.210.96 - 193.122.174.109
Jun 17 21:48:30 GAFW charon5702: 01[IKE] <con2|434> keeping statically configured path 162.193.210.96 - 71.131.58.25
Jun 17 21:48:30 GAFW charon5702: 01[IKE] <con3|431> keeping statically configured path 162.193.210.96 - 193.122.161.56
Jun 17 21:48:30 GAFW charon5702: 06[KNL] 10.6.106.5 disappeared from ipsec3
Jun 17 21:48:30 GAFW charon5702: 06[KNL] interface ipsec3 deactivated
Jun 17 21:48:30 GAFW charon5702: 05[KNL] interface ipsec3 disappeared
Jun 17 21:48:30 GAFW charon5702: 05[KNL] interface ipsec3 appeared
Jun 17 21:48:30 GAFW charon5702: 13[KNL] 10.6.106.5 appeared on ipsec3
Jun 17 21:48:30 GAFW charon5702: 07[IKE] <con1|435> keeping statically configured path 162.193.210.96 - 69.117.27.120
Jun 17 21:48:30 GAFW charon5702: 07[IKE] <con4|433> keeping statically configured path 162.193.210.96 - 193.122.174.109
Jun 17 21:48:30 GAFW charon5702: 07[IKE] <con2|434> keeping statically configured path 162.193.210.96 - 71.131.58.25
Jun 17 21:48:30 GAFW charon5702: 07[IKE] <con3|431> keeping statically configured path 162.193.210.96 - 193.122.161.56
Jun 17 21:48:30 GAFW charon5702: 14[KNL] 10.6.106.9 disappeared from ipsec4
Jun 17 21:48:30 GAFW charon5702: 14[KNL] interface ipsec4 deactivated
Jun 17 21:48:30 GAFW charon5702: 11[KNL] interface ipsec4 disappeared
Jun 17 21:48:30 GAFW charon5702: 09[KNL] interface ipsec4 appeared
Jun 17 21:48:30 GAFW charon5702: 11[KNL] 10.6.106.9 appeared on ipsec4
Jun 17 21:48:30 GAFW charon5702: 08[IKE] <con1|435> keeping statically configured path 162.193.210.96 - 69.117.27.120
Jun 17 21:48:30 GAFW charon5702: 08[IKE] <con4|433> keeping statically configured path 162.193.210.96 - 193.122.174.109
Jun 17 21:48:30 GAFW charon5702: 08[IKE] <con2|434> keeping statically configured path 162.193.210.96 - 71.131.58.25
Jun 17 21:48:30 GAFW charon5702: 08[IKE] <con3|431> keeping statically configured path 162.193.210.96 - 193.122.161.56
Jun 17 21:48:30 GAFW charon5702: 13[CFG] vici client 3946 connected
Jun 17 21:48:30 GAFW charon5702: 05[CFG] vici client 3946 requests: reload-settings
Jun 17 21:48:30 GAFW charon5702: 05[CFG] ipseckey plugin is disabled
Jun 17 21:48:30 GAFW charon5702: 05[CFG] loaded 0 entries for attr plugin configuration
Jun 17 21:48:30 GAFW charon5702: 05[CFG] loaded 0 RADIUS server configurations
Jun 17 21:48:30 GAFW charon5702: 12[CFG] vici client 3946 disconnected
Jun 17 21:48:30 GAFW charon5702: 05[CFG] vici client 3947 connected
Jun 17 21:48:30 GAFW charon5702: 12[CFG] vici client 3947 requests: get-keys
Jun 17 21:48:30 GAFW charon5702: 07[CFG] vici client 3947 requests: get-shared
Jun 17 21:48:30 GAFW charon5702: 07[CFG] vici client 3947 requests: load-shared
Jun 17 21:48:30 GAFW charon5702: 07[CFG] loaded IKE shared key with id 'ike-0' for: '%any', '69.117.27.120'
Jun 17 21:48:30 GAFW charon5702: 07[CFG] vici client 3947 requests: load-shared
Jun 17 21:48:30 GAFW charon5702: 07[CFG] loaded IKE shared key with id 'ike-1' for: '%any', '71.131.58.25'
Jun 17 21:48:30 GAFW charon5702: 07[CFG] vici client 3947 requests: load-shared
Jun 17 21:48:30 GAFW charon5702: 07[CFG] loaded IKE shared key with id 'ike-2' for: '%any', '193.122.161.56'
Jun 17 21:48:30 GAFW charon5702: 14[CFG] vici client 3947 requests: load-shared
Jun 17 21:48:30 GAFW charon5702: 14[CFG] loaded IKE shared key with id 'ike-3' for: '%any', '193.122.174.109'
Jun 17 21:48:30 GAFW charon5702: 14[CFG] vici client 3947 requests: get-authorities
Jun 17 21:48:30 GAFW charon5702: 14[CFG] vici client 3947 requests: get-pools
Jun 17 21:48:30 GAFW charon5702: 14[CFG] vici client 3947 requests: get-conns
Jun 17 21:48:30 GAFW charon5702: 14[CFG] vici client 3947 requests: load-conn
Jun 17 21:48:30 GAFW charon5702: 14[CFG] conn bypass:
Jun 17 21:48:30 GAFW charon5702: 14[CFG] child bypasslan:
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rekey_time = 3600
Jun 17 21:48:30 GAFW charon5702: 14[CFG] life_time = 3960
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rand_time = 360
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rekey_bytes = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] life_bytes = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rand_bytes = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rekey_packets = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] life_packets = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rand_packets = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] updown = (null)
Jun 17 21:48:30 GAFW charon5702: 14[CFG] hostaccess = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] ipcomp = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] mode = PASS
Jun 17 21:48:30 GAFW charon5702: 14[CFG] policies = 1
Jun 17 21:48:30 GAFW charon5702: 14[CFG] policies_fwd_out = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] dpd_action = none
Jun 17 21:48:30 GAFW charon5702: 14[CFG] start_action = trap
Jun 17 21:48:30 GAFW charon5702: 14[CFG] close_action = none
Jun 17 21:48:30 GAFW charon5702: 14[CFG] reqid = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] tfc = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] priority = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] interface = (null)
Jun 17 21:48:30 GAFW charon5702: 14[CFG] if_id_in = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] if_id_out = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] mark_in = 0/0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] mark_in_sa = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] mark_out = 0/0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] set_mark_in = 0/0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] set_mark_out = 0/0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] label = (null)
Jun 17 21:48:30 GAFW charon5702: 14[CFG] label_mode = system
Jun 17 21:48:30 GAFW charon5702: 14[CFG] inactivity = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] proposals = ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Jun 17 21:48:30 GAFW charon5702: 14[CFG] local_ts = 192.168.50.0/24|/0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] remote_ts = 192.168.50.0/24|/0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] hw_offload = no
Jun 17 21:48:30 GAFW charon5702: 14[CFG] sha256_96 = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] copy_df = 1
Jun 17 21:48:30 GAFW charon5702: 14[CFG] copy_ecn = 1
Jun 17 21:48:30 GAFW charon5702: 14[CFG] copy_dscp = out
Jun 17 21:48:30 GAFW charon5702: 14[CFG] version = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] local_addrs = %any
Jun 17 21:48:30 GAFW charon5702: 14[CFG] remote_addrs = 127.0.0.1
Jun 17 21:48:30 GAFW charon5702: 14[CFG] local_port = 500
Jun 17 21:48:30 GAFW charon5702: 14[CFG] remote_port = 500
Jun 17 21:48:30 GAFW charon5702: 14[CFG] send_certreq = 1
Jun 17 21:48:30 GAFW charon5702: 14[CFG] send_cert = CERT_SEND_IF_ASKED
Jun 17 21:48:30 GAFW charon5702: 14[CFG] ppk_id = (null)
Jun 17 21:48:30 GAFW charon5702: 14[CFG] ppk_required = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] mobike = 1
Jun 17 21:48:30 GAFW charon5702: 14[CFG] aggressive = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] dscp = 0x00
Jun 17 21:48:30 GAFW charon5702: 14[CFG] encap = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] dpd_delay = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] dpd_timeout = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] fragmentation = 2
Jun 17 21:48:30 GAFW charon5702: 14[CFG] childless = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] unique = UNIQUE_NO
Jun 17 21:48:30 GAFW charon5702: 14[CFG] keyingtries = 1
Jun 17 21:48:30 GAFW charon5702: 14[CFG] reauth_time = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rekey_time = 14400
Jun 17 21:48:30 GAFW charon5702: 14[CFG] over_time = 1440
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rand_time = 1440
Jun 17 21:48:30 GAFW charon5702: 14[CFG] proposals = IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Jun 17 21:48:30 GAFW charon5702: 14[CFG] if_id_in = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] if_id_out = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] local:
Jun 17 21:48:30 GAFW charon5702: 14[CFG] remote:
Jun 17 21:48:30 GAFW charon5702: 14[CFG] updated vici connection: bypass
Jun 17 21:48:30 GAFW charon5702: 09[CFG] vici client 3947 requests: load-conn
Jun 17 21:48:30 GAFW charon5702: 09[CFG] conn con1:
Jun 17 21:48:30 GAFW charon5702: 09[CFG] child con1:
Jun 17 21:48:30 GAFW charon5702: 09[CFG] rekey_time = 3240
Jun 17 21:48:30 GAFW charon5702: 09[CFG] life_time = 3600
Jun 17 21:48:30 GAFW charon5702: 09[CFG] rand_time = 360
Jun 17 21:48:30 GAFW charon5702: 09[CFG] rekey_bytes = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] life_bytes = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] rand_bytes = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] rekey_packets = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] life_packets = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] rand_packets = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] updown = (null)
Jun 17 21:48:30 GAFW charon5702: 09[CFG] hostaccess = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] ipcomp = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] mode = TUNNEL
Jun 17 21:48:30 GAFW charon5702: 09[CFG] policies = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] policies_fwd_out = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] dpd_action = start
Jun 17 21:48:30 GAFW charon5702: 09[CFG] start_action = start
Jun 17 21:48:30 GAFW charon5702: 09[CFG] close_action = none
Jun 17 21:48:30 GAFW charon5702: 09[CFG] reqid = 5001
Jun 17 21:48:30 GAFW charon5702: 09[CFG] tfc = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] priority = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] interface = (null)
Jun 17 21:48:30 GAFW charon5702: 09[CFG] if_id_in = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] if_id_out = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] mark_in = 0/0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] mark_in_sa = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] mark_out = 0/0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] set_mark_in = 0/0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] set_mark_out = 0/0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] label = (null)
Jun 17 21:48:30 GAFW charon5702: 09[CFG] label_mode = system
Jun 17 21:48:30 GAFW charon5702: 09[CFG] inactivity = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] proposals = ESP:AES_GCM_16_128/MODP_2048/NO_EXT_SEQ
Jun 17 21:48:30 GAFW charon5702: 09[CFG] local_ts = 10.6.106.0/30|/0 0.0.0.0/0|/0 ::/0|/0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] remote_ts = 10.6.106.2/32|/0 0.0.0.0/0|/0 ::/0|/0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] hw_offload = no
Jun 17 21:48:30 GAFW charon5702: 09[CFG] sha256_96 = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] copy_df = 1
Jun 17 21:48:30 GAFW charon5702: 09[CFG] copy_ecn = 1
Jun 17 21:48:30 GAFW charon5702: 09[CFG] copy_dscp = out
Jun 17 21:48:30 GAFW charon5702: 09[CFG] version = 2
Jun 17 21:48:30 GAFW charon5702: 09[CFG] local_addrs = 162.193.210.96
Jun 17 21:48:30 GAFW charon5702: 09[CFG] remote_addrs = vpn.moorecompute.com
Jun 17 21:48:30 GAFW charon5702: 09[CFG] local_port = 500
Jun 17 21:48:30 GAFW charon5702: 09[CFG] remote_port = 500
Jun 17 21:48:30 GAFW charon5702: 09[CFG] send_certreq = 1
Jun 17 21:48:30 GAFW charon5702: 09[CFG] send_cert = CERT_SEND_IF_ASKED
Jun 17 21:48:30 GAFW charon5702: 09[CFG] ppk_id = (null)
Jun 17 21:48:30 GAFW charon5702: 09[CFG] ppk_required = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] mobike = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] aggressive = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] dscp = 0x00
Jun 17 21:48:30 GAFW charon5702: 09[CFG] encap = 1
Jun 17 21:48:30 GAFW charon5702: 09[CFG] dpd_delay = 10
Jun 17 21:48:30 GAFW charon5702: 09[CFG] dpd_timeout = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] fragmentation = 2
Jun 17 21:48:30 GAFW charon5702: 09[CFG] childless = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] unique = UNIQUE_REPLACE
Jun 17 21:48:30 GAFW charon5702: 09[CFG] keyingtries = 1
Jun 17 21:48:30 GAFW charon5702: 09[CFG] reauth_time = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] rekey_time = 25920
Jun 17 21:48:30 GAFW charon5702: 09[CFG] over_time = 2880
Jun 17 21:48:30 GAFW charon5702: 09[CFG] rand_time = 2880
Jun 17 21:48:30 GAFW charon5702: 09[CFG] proposals = IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
Jun 17 21:48:30 GAFW charon5702: 09[CFG] if_id_in = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] if_id_out = 0
Jun 17 21:48:30 GAFW charon5702: 09[CFG] local:
Jun 17 21:48:30 GAFW charon5702: 09[CFG] class = pre-shared key
Jun 17 21:48:30 GAFW charon5702: 09[CFG] id = 162.193.210.96
Jun 17 21:48:30 GAFW charon5702: 09[CFG] remote:
Jun 17 21:48:30 GAFW charon5702: 09[CFG] class = pre-shared key
Jun 17 21:48:30 GAFW charon5702: 09[CFG] id = 69.117.27.120
Jun 17 21:48:30 GAFW charon5702: 09[CFG] updated vici connection: con1
Jun 17 21:48:30 GAFW charon5702: 14[CFG] vici client 3947 requests: load-conn
Jun 17 21:48:30 GAFW charon5702: 14[CFG] conn con2:
Jun 17 21:48:30 GAFW charon5702: 14[CFG] child con2:
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rekey_time = 3240
Jun 17 21:48:30 GAFW charon5702: 14[CFG] life_time = 3600
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rand_time = 360
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rekey_bytes = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] life_bytes = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rand_bytes = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rekey_packets = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] life_packets = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rand_packets = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] updown = (null)
Jun 17 21:48:30 GAFW charon5702: 14[CFG] hostaccess = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] ipcomp = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] mode = TUNNEL
Jun 17 21:48:30 GAFW charon5702: 14[CFG] policies = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] policies_fwd_out = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] dpd_action = start
Jun 17 21:48:30 GAFW charon5702: 14[CFG] start_action = start
Jun 17 21:48:30 GAFW charon5702: 14[CFG] close_action = none
Jun 17 21:48:30 GAFW charon5702: 14[CFG] reqid = 5002
Jun 17 21:48:30 GAFW charon5702: 14[CFG] tfc = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] priority = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] interface = (null)
Jun 17 21:48:30 GAFW charon5702: 14[CFG] if_id_in = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] if_id_out = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] mark_in = 0/0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] mark_in_sa = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] mark_out = 0/0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] set_mark_in = 0/0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] set_mark_out = 0/0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] label = (null)
Jun 17 21:48:30 GAFW charon5702: 14[CFG] label_mode = system
Jun 17 21:48:30 GAFW charon5702: 14[CFG] inactivity = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] proposals = ESP:AES_GCM_16_128/MODP_2048/NO_EXT_SEQ
Jun 17 21:48:30 GAFW charon5702: 14[CFG] local_ts = 172.28.0.4/30|/0 0.0.0.0/0|/0 ::/0|/0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] remote_ts = 172.28.0.5/32|/0 0.0.0.0/0|/0 ::/0|/0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] hw_offload = no
Jun 17 21:48:30 GAFW charon5702: 14[CFG] sha256_96 = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] copy_df = 1
Jun 17 21:48:30 GAFW charon5702: 14[CFG] copy_ecn = 1
Jun 17 21:48:30 GAFW charon5702: 14[CFG] copy_dscp = out
Jun 17 21:48:30 GAFW charon5702: 14[CFG] version = 2
Jun 17 21:48:30 GAFW charon5702: 14[CFG] local_addrs = 162.193.210.96
Jun 17 21:48:30 GAFW charon5702: 14[CFG] remote_addrs = vpn.k85enterprises.com
Jun 17 21:48:30 GAFW charon5702: 14[CFG] local_port = 500
Jun 17 21:48:30 GAFW charon5702: 14[CFG] remote_port = 500
Jun 17 21:48:30 GAFW charon5702: 14[CFG] send_cert = CERT_SEND_IF_ASKED
Jun 17 21:48:30 GAFW charon5702: 14[CFG] mobike = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] dscp = 0x00
Jun 17 21:48:30 GAFW charon5702: 14[CFG] dpd_timeout = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] unique = UNIQUE_REPLACE
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rekey_time = 25920
Jun 17 21:48:30 GAFW charon5702: 14[CFG] if_id_in = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] id = 162.193.210.96
Jun 17 21:48:30 GAFW charon5702: 14[CFG] class = pre-shared key
Jun 17 21:48:30 GAFW charon5702: 14[CFG] id = 71.131.58.25
Jun 17 21:48:30 GAFW charon5702: 14[CFG] updated vici connection: con2
Jun 17 21:48:30 GAFW charon5702: 11[CFG] vici client 3947 requests: load-conn
Jun 17 21:48:30 GAFW charon5702: 11[CFG] conn con3:
Jun 17 21:48:30 GAFW charon5702: 11[CFG] child con3:
Jun 17 21:48:30 GAFW charon5702: 11[CFG] rekey_time = 3240
Jun 17 21:48:30 GAFW charon5702: 11[CFG] life_time = 3600
Jun 17 21:48:30 GAFW charon5702: 11[CFG] rand_time = 360
Jun 17 21:48:30 GAFW charon5702: 11[CFG] rekey_bytes = 0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] life_bytes = 0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] rand_bytes = 0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] rekey_packets = 0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] life_packets = 0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] rand_packets = 0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] updown = (null)
Jun 17 21:48:30 GAFW charon5702: 11[CFG] hostaccess = 0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] ipcomp = 0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] mode = TUNNEL
Jun 17 21:48:30 GAFW charon5702: 11[CFG] policies = 0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] policies_fwd_out = 0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] dpd_action = start
Jun 17 21:48:30 GAFW charon5702: 11[CFG] start_action = start
Jun 17 21:48:30 GAFW charon5702: 11[CFG] close_action = none
Jun 17 21:48:30 GAFW charon5702: 11[CFG] reqid = 5003
Jun 17 21:48:30 GAFW charon5702: 11[CFG] tfc = 0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] priority = 0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] interface = (null)
Jun 17 21:48:30 GAFW charon5702: 11[CFG] if_id_in = 0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] if_id_out = 0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] mark_in = 0/0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] mark_in_sa = 0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] mark_out = 0/0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] set_mark_in = 0/0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] set_mark_out = 0/0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] label = (null)
Jun 17 21:48:30 GAFW charon5702: 11[CFG] label_mode = system
Jun 17 21:48:30 GAFW charon5702: 11[CFG] inactivity = 0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] proposals = ESP:AES_GCM_16_256/MODP_1536/NO_EXT_SEQ, ESP:AES_GCM_12_256/MODP_1536/NO_EXT_SEQ, ESP:AES_GCM_8_256/MODP_1536/NO_EXT_SEQ
Jun 17 21:48:30 GAFW charon5702: 11[CFG] remote_ts = 10.6.106.6/32|/0 0.0.0.0/0|/0 ::/0|/0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] sha256_96 = 0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] copy_dscp = out
Jun 17 21:48:30 GAFW charon5702: 11[CFG] local_addrs = 162.193.210.96
Jun 17 21:48:30 GAFW charon5702: 11[CFG] remote_port = 500
Jun 17 21:48:30 GAFW charon5702: 11[CFG] send_cert = CERT_SEND_IF_ASKED
Jun 17 21:48:30 GAFW charon5702: 11[CFG] aggressive = 0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] dpd_delay = 10
Jun 17 21:48:30 GAFW charon5702: 11[CFG] fragmentation = 2
Jun 17 21:48:30 GAFW charon5702: 11[CFG] reauth_time = 0
Jun 17 21:48:30 GAFW charon5702: 11[CFG] over_time = 2880
Jun 17 21:48:30 GAFW charon5702: 11[CFG] proposals = IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384
Jun 17 21:48:30 GAFW charon5702: 11[CFG] local:
Jun 17 21:48:30 GAFW charon5702: 11[CFG] id = 162.193.210.96
Jun 17 21:48:30 GAFW charon5702: 11[CFG] id = 193.122.161.56
Jun 17 21:48:30 GAFW charon5702: 11[CFG] updated vici connection: con3
Jun 17 21:48:30 GAFW charon5702: 14[CFG] vici client 3947 requests: load-conn
Jun 17 21:48:30 GAFW charon5702: 14[CFG] conn con4:
Jun 17 21:48:30 GAFW charon5702: 14[CFG] child con4:
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rekey_time = 3240
Jun 17 21:48:30 GAFW charon5702: 14[CFG] life_time = 3600
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rand_time = 360
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rekey_bytes = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] life_bytes = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rand_bytes = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rekey_packets = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] life_packets = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] rand_packets = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] updown = (null)
Jun 17 21:48:30 GAFW charon5702: 14[CFG] hostaccess = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] ipcomp = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] mode = TUNNEL
Jun 17 21:48:30 GAFW charon5702: 14[CFG] policies = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] policies_fwd_out = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] dpd_action = start
Jun 17 21:48:30 GAFW charon5702: 14[CFG] start_action = start
Jun 17 21:48:30 GAFW charon5702: 14[CFG] close_action = none
Jun 17 21:48:30 GAFW charon5702: 14[CFG] reqid = 5004
Jun 17 21:48:30 GAFW charon5702: 14[CFG] tfc = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] priority = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] interface = (null)
Jun 17 21:48:30 GAFW charon5702: 14[CFG] if_id_in = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] if_id_out = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] mark_in = 0/0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] mark_in_sa = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] mark_out = 0/0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] set_mark_in = 0/0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] set_mark_out = 0/0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] label = (null)
Jun 17 21:48:30 GAFW charon5702: 14[CFG] label_mode = system
Jun 17 21:48:30 GAFW charon5702: 14[CFG] inactivity = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] proposals = ESP:AES_GCM_16_256/MODP_1536/NO_EXT_SEQ, ESP:AES_GCM_12_256/MODP_1536/NO_EXT_SEQ, ESP:AES_GCM_8_256/MODP_1536/NO_EXT_SEQ
Jun 17 21:48:30 GAFW charon5702: 14[CFG] local_ts = 10.6.106.8/30|/0 0.0.0.0/0|/0 ::/0|/0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] remote_ts = 10.6.106.10/32|/0 0.0.0.0/0|/0 ::/0|/0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] hw_offload = no
Jun 17 21:48:30 GAFW charon5702: 14[CFG] sha256_96 = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] copy_df = 1
Jun 17 21:48:30 GAFW charon5702: 14[CFG] copy_ecn = 1
Jun 17 21:48:30 GAFW charon5702: 14[CFG] copy_dscp = out
Jun 17 21:48:30 GAFW charon5702: 14[CFG] version = 2
Jun 17 21:48:30 GAFW charon5702: 14[CFG] local_addrs = 162.193.210.96
Jun 17 21:48:30 GAFW charon5702: 14[CFG] remote_addrs = 193.122.174.109
Jun 17 21:48:30 GAFW charon5702: 14[CFG] local_port = 500
Jun 17 21:48:30 GAFW charon5702: 14[CFG] remote_port = 500
Jun 17 21:48:30 GAFW charon5702: 14[CFG] send_certreq = 1
Jun 17 21:48:30 GAFW charon5702: 14[CFG] send_cert = CERT_SEND_IF_ASKED
Jun 17 21:48:30 GAFW charon5702: 14[CFG] ppk_id = (null)
Jun 17 21:48:30 GAFW charon5702: 14[CFG] ppk_required = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] mobike = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] aggressive = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] dscp = 0x00
Jun 17 21:48:30 GAFW charon5702: 14[CFG] encap = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] fragmentation = 2
Jun 17 21:48:30 GAFW charon5702: 14[CFG] keyingtries = 1
Jun 17 21:48:30 GAFW charon5702: 14[CFG] over_time = 2880
Jun 17 21:48:30 GAFW charon5702: 14[CFG] proposals = IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384
Jun 17 21:48:30 GAFW charon5702: 14[CFG] if_id_out = 0
Jun 17 21:48:30 GAFW charon5702: 14[CFG] class = pre-shared key
Jun 17 21:48:30 GAFW charon5702: 11[CFG] vici client 3947 disconnected
Jun 17 21:48:31 GAFW charon5702: 08[KNL] 10.6.106.1 disappeared from ipsec1
Jun 17 21:48:31 GAFW charon5702: 08[KNL] interface ipsec1 deactivated
Jun 17 21:48:31 GAFW charon5702: 08[IKE] <con1|435> keeping statically configured path 162.193.210.96 - 69.117.27.120
Jun 17 21:48:31 GAFW charon5702: 08[IKE] <con4|433> keeping statically configured path 162.193.210.96 - 193.122.174.109
Jun 17 21:48:31 GAFW charon5702: 08[IKE] <con2|434> keeping statically configured path 162.193.210.96 - 71.131.58.25
Jun 17 21:48:31 GAFW charon5702: 08[IKE] <con3|431> keeping statically configured path 162.193.210.96 - 193.122.161.56
Jun 17 21:48:32 GAFW charon5702: 09[KNL] interface ipsec1 activated
Jun 17 21:48:32 GAFW charon5702: 11[IKE] <con1|435> keeping statically configured path 162.193.210.96 - 69.117.27.120
Jun 17 21:48:32 GAFW charon5702: 11[IKE] <con4|433> keeping statically configured path 162.193.210.96 - 193.122.174.109
Jun 17 21:48:32 GAFW charon5702: 11[IKE] <con2|434> keeping statically configured path 162.193.210.96 - 71.131.58.25
Jun 17 21:48:32 GAFW charon5702: 11[IKE] <con3|431> keeping statically configured path 162.193.210.96 - 193.122.161.56
Jun 17 21:48:32 GAFW charon5702: 11[KNL] 172.28.0.6 disappeared from ipsec2
Jun 17 21:48:32 GAFW charon5702: 11[KNL] interface ipsec2 deactivated
Jun 17 21:48:32 GAFW charon5702: 11[IKE] <con1|435> keeping statically configured path 162.193.210.96 - 69.117.27.120
Jun 17 21:48:32 GAFW charon5702: 11[IKE] <con4|433> keeping statically configured path 162.193.210.96 - 193.122.174.109
Jun 17 21:48:32 GAFW charon5702: 11[IKE] <con2|434> keeping statically configured path 162.193.210.96 - 71.131.58.25
Jun 17 21:48:32 GAFW charon5702: 11[IKE] <con3|431> keeping statically configured path 162.193.210.96 - 193.122.161.56
Jun 17 21:48:34 GAFW charon5702: 14[KNL] interface ipsec2 activated
Jun 17 21:48:34 GAFW charon5702: 08[IKE] <con1|435> keeping statically configured path 162.193.210.96 - 69.117.27.120
Jun 17 21:48:34 GAFW charon5702: 08[IKE] <con4|433> keeping statically configured path 162.193.210.96 - 193.122.174.109
Jun 17 21:48:34 GAFW charon5702: 08[IKE] <con2|434> keeping statically configured path 162.193.210.96 - 71.131.58.25
Jun 17 21:48:34 GAFW charon5702: 08[IKE] <con3|431> keeping statically configured path 162.193.210.96 - 193.122.161.56
Jun 17 21:48:34 GAFW charon5702: 08[KNL] 10.6.106.5 disappeared from ipsec3
Jun 17 21:48:34 GAFW charon5702: 14[KNL] interface ipsec3 deactivated
Jun 17 21:48:34 GAFW charon5702: 14[IKE] <con1|435> keeping statically configured path 162.193.210.96 - 69.117.27.120
Jun 17 21:48:34 GAFW charon5702: 14[IKE] <con4|433> keeping statically configured path 162.193.210.96 - 193.122.174.109
Jun 17 21:48:34 GAFW charon5702: 14[IKE] <con2|434> keeping statically configured path 162.193.210.96 - 71.131.58.25
Jun 17 21:48:34 GAFW charon5702: 14[IKE] <con3|431> keeping statically configured path 162.193.210.96 - 193.122.161.56
Jun 17 21:48:35 GAFW charon5702: 14[KNL] <con3|431> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found
Jun 17 21:48:35 GAFW charon5702: 14[IKE] <con3|431> sending DPD request
Jun 17 21:48:35 GAFW charon5702: 14[IKE] <con3|431> queueing IKE_DPD task
Jun 17 21:48:35 GAFW charon5702: 14[IKE] <con3|431> activating new tasks
Jun 17 21:48:35 GAFW charon5702: 14[IKE] <con3|431> activating IKE_DPD task
Jun 17 21:48:35 GAFW charon5702: 14[ENC] <con3|431> generating INFORMATIONAL request 487 [ ]
Jun 17 21:48:35 GAFW charon5702: 14[NET] <con3|431> sending packet: from 162.193.210.96500 to 193.122.161.56500 (88 bytes)
Jun 17 21:48:35 GAFW charon5702: 14[NET] <con3|431> received packet: from 193.122.161.56500 to 162.193.210.96500 (88 bytes)
Jun 17 21:48:35 GAFW charon5702: 14[ENC] <con3|431> parsed INFORMATIONAL response 487 [ ]
Jun 17 21:48:35 GAFW charon5702: 14[IKE] <con3|431> activating new tasks
Jun 17 21:48:35 GAFW charon5702: 14[IKE] <con3|431> nothing to initiate
Jun 17 21:48:35 GAFW charon5702: 14[KNL] interface ipsec3 activated
Jun 17 21:48:35 GAFW charon5702: 10[IKE] <con1|435> keeping statically configured path 162.193.210.96 - 69.117.27.120
Jun 17 21:48:35 GAFW charon5702: 10[IKE] <con4|433> keeping statically configured path 162.193.210.96 - 193.122.174.109
Jun 17 21:48:35 GAFW charon5702: 10[IKE] <con2|434> keeping statically configured path 162.193.210.96 - 71.131.58.25
Jun 17 21:48:35 GAFW charon5702: 10[IKE] <con3|431> keeping statically configured path 162.193.210.96 - 193.122.161.56
Jun 17 21:48:36 GAFW charon5702: 10[KNL] 10.6.106.9 disappeared from ipsec4
Jun 17 21:48:36 GAFW charon5702: 14[KNL] interface ipsec4 deactivated
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con1|435> keeping statically configured path 162.193.210.96 - 69.117.27.120
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con4|433> keeping statically configured path 162.193.210.96 - 193.122.174.109
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con2|434> keeping statically configured path 162.193.210.96 - 71.131.58.25
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con3|431> keeping statically configured path 162.193.210.96 - 193.122.161.56
Jun 17 21:48:36 GAFW charon5702: 14[KNL] <con1|435> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con1|435> sending DPD request
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con1|435> queueing IKE_DPD task
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con1|435> activating new tasks
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con1|435> activating IKE_DPD task
Jun 17 21:48:36 GAFW charon5702: 14[ENC] <con1|435> generating INFORMATIONAL request 4 [ ]
Jun 17 21:48:36 GAFW charon5702: 14[NET] <con1|435> sending packet: from 162.193.210.964500 to 69.117.27.1204500 (57 bytes)
Jun 17 21:48:36 GAFW charon5702: 14[KNL] <con2|434> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con2|434> sending DPD request
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con2|434> queueing IKE_DPD task
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con2|434> activating new tasks
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con2|434> activating IKE_DPD task
Jun 17 21:48:36 GAFW charon5702: 14[ENC] <con2|434> generating INFORMATIONAL request 84 [ ]
Jun 17 21:48:36 GAFW charon5702: 14[NET] <con2|434> sending packet: from 162.193.210.964500 to 71.131.58.254500 (57 bytes)
Jun 17 21:48:36 GAFW charon5702: 14[NET] <con1|435> received packet: from 69.117.27.1204500 to 162.193.210.964500 (57 bytes)
Jun 17 21:48:36 GAFW charon5702: 14[ENC] <con1|435> parsed INFORMATIONAL response 4 [ ]
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con1|435> activating new tasks
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con1|435> nothing to initiate
Jun 17 21:48:36 GAFW charon5702: 14[NET] <con2|434> received packet: from 71.131.58.254500 to 162.193.210.964500 (57 bytes)
Jun 17 21:48:36 GAFW charon5702: 14[ENC] <con2|434> parsed INFORMATIONAL response 84 [ ]
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con2|434> activating new tasks
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con2|434> nothing to initiate
Jun 17 21:48:36 GAFW charon5702: 14[KNL] <con4|433> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con4|433> sending DPD request
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con4|433> queueing IKE_DPD task
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con4|433> activating new tasks
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con4|433> activating IKE_DPD task
Jun 17 21:48:36 GAFW charon5702: 14[ENC] <con4|433> generating INFORMATIONAL request 467 [ ]
Jun 17 21:48:36 GAFW charon5702: 14[NET] <con4|433> sending packet: from 162.193.210.96500 to 193.122.174.109500 (88 bytes)
Jun 17 21:48:36 GAFW charon5702: 14[NET] <con4|433> received packet: from 193.122.174.109500 to 162.193.210.96500 (88 bytes)
Jun 17 21:48:36 GAFW charon5702: 14[ENC] <con4|433> parsed INFORMATIONAL response 467 [ ]
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con4|433> activating new tasks
Jun 17 21:48:36 GAFW charon5702: 14[IKE] <con4|433> nothing to initiate
Jun 17 21:48:37 GAFW charon5702: 14[KNL] interface ipsec4 activated
Jun 17 21:48:37 GAFW charon5702: 15[IKE] <con1|435> keeping statically configured path 162.193.210.96 - 69.117.27.120
Jun 17 21:48:37 GAFW charon5702: 15[IKE] <con4|433> keeping statically configured path 162.193.210.96 - 193.122.174.109
Jun 17 21:48:37 GAFW charon5702: 15[IKE] <con2|434> keeping statically configured path 162.193.210.96 - 71.131.58.25
Jun 17 21:48:37 GAFW charon5702: 15[IKE] <con3|431> keeping statically configured path 162.193.210.96 - 193.122.161.56

Actions #7

Updated by Marcos M 8 months ago

  • Status changed from New to Rejected
  • Priority changed from High to Normal
  • Affected Plus Version deleted (23.05.1)

This is part of the reason why the option Ignore IPsec Restart in FRR exists.

Actions #8

Updated by Mike Moore 8 months ago

Why was this rejected. That option is enabled for me. The entire point of a redmine is not to troubleshoot but to report a possible software fault. There is a software fault here. Did anyone replicate this in a lab?

Actions #9

Updated by Marcos M 8 months ago

  • Has duplicate Bug #14486: FRR - Changes to VTI tunnels bounce all eBGP peers added
Actions #10

Updated by Marcos M 8 months ago

  • Status changed from Rejected to New

Oddly I can only replicate the issue after changing/saving/applying the P1 description a second time with Ignore IPsec Restart checked (it fails the first time with it unchecked).

Show


Same result with Disable Gateway Monitoring Action checked on all VTI gateways.

Actions #11

Updated by Mike Moore 8 months ago

changes to P1 parameters of any tunnel and clicking apply bounces all bgp peers.
changes to the Tunnels description and clicking apply bounces all bgp peers.

All my gateways have Gateway Action disabled checked.
Even if you disable the gateway checked that doesnt make a difference.

Actions #12

Updated by Mike Moore 8 months ago

Another action thats repeateable. Go into the tunnel settings. Select a tunnel but do not make any changes. Click save and apply. This causes a peer flap on all neighbors.
So frr is not respecting the setting to ignore any VTI restarts.

Actions #13

Updated by Mike Moore 8 months ago

Will there be a fox for the IPsec restarts impacting FRR ?

Actions #14

Updated by Mike Moore 8 months ago

Hi. Making a heartbeat check.
Will this get investigated further?
At this time i cant reliably use VTI and FRR at the same time.

Actions #15

Updated by Mike Moore 8 months ago

IPsec with FRR is still not stable. Any hope in getting it looked at after the holiday?

Actions #16

Updated by Mike Moore 8 months ago

I moved one of my FRR neighbors over to wireguard and left the rest to IPsec VTI. As I suspected any changes to the IPsec configuration causes the outage
Notice that 3 neighbors came up at the same time but the wireguard neighbor is stable.

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt
10.6.106.2 4 65520 211 225 0 0 0 03:23:15 3 6
10.6.106.6 4 31898 418 443 0 0 0 00:00:21 2 6
10.6.106.10 4 31898 418 447 0 0 0 00:00:20 2 6
172.28.0.5 4 65002 233 253 0 0 0 00:00:31 1 6

Actions #17

Updated by Jim Pingle 8 months ago

"Ignore IPsec Restart" doesn't actually control whether or not FRR/BGP/etc restart on interface events. What it controls is whether or not the interfaces inside FRR get shut/no shut after an IPsec event.

It would help to see a bit more info about the processes and logs around these events. It's not clear if charon, FRR, or anything else is getting fully restarted or just not handling some event as expected.

1. Check the process list (e.g. ps uxaww) and note the PIDs of charon, zebra, bgpd, etc.
2. Edit/save some VTI property as before
3. Check the process list again and note the PIDs to see if any of them changed
4. Check the main system log and see what messages are there around the time of the event, see if something like rc.newwanip was triggered.

Actions #18

Updated by Jim Pingle 8 months ago

  • Tracker changed from Bug to Feature
  • Project changed from pfSense Packages to pfSense
  • Subject changed from changes to ipsec VTI bounces all BGP peers to Conditionally reconfigure IPsec VTI interfaces only when necessary while applying IPsec changes
  • Category changed from FRR to IPsec
  • Target version set to 2.8.0
  • Plus Target Version set to 23.09
  • Release Notes set to Default

I was able to find a system in my lab where I could reproduce this. After some investigation it turns out there isn't anything FRR can do since it's not relevant here. The problem is that the VTI interfaces are being reconfigured unconditionally when applying IPsec changes.

Here are my observations:

  • None of the processes are restarting (charon, bgpd, etc)
  • No interface events are being logged, so no worries about rc.newwanip or package restarts
  • BGP itself stays up the whole time, even sessions stay active -- affected tunnels even showed a BGP session time of >1wk
  • FRR status shows routes are removed/re-added at the time of the apply action
  • IPsec is logging that the interface addresses are disappearing
  • All IPsec VTI interfaces are being reconfigured from the logs
  • It's happening in interface_ipsec_vti_configure() inside interfaces.inc which is being called when applying IPsec settings
  • Around line 1483 the interface is destroyed and recreated unconditionally and the addresses readded
  • Currently this is done to ensure any updates are respected, such as address changes.

The function would need to be rewritten to read existing settings first and then compare and only make changes if needed, or perhaps have a way to tell which tunnel settings changed old vs new and only make changes to tunnels that need updated.

This isn't a bug, however, but missing functionality, so it should be treated as a feature request.

Actions #19

Updated by Mike Moore 8 months ago

Appreciate the analysis. Is there a workaround that I can implement?
In my scenario my BGP peers bounce which breaks routing when applying any IPsec changes. .
Hub and spoke scenarios is not possible.

Actions #20

Updated by Jim Pingle 8 months ago

Without the solution I described there is no viable workaround that wouldn't cripple the function in some way (e.g. changes would only be respected when rebooting) which is not viable to commit or recommend for use.

Actions #21

Updated by Mike Moore 8 months ago

Just wanted to follow up to say that my testing has observed similar findings as well. Apologies for the late reply.
1. No process restarts of charon,zebra or bgpd
2. No renewwan ip events seen in the system.log.
3. The only difference is that bgp up/down events occur.

System log
  • Modified nothing but clicked save to apply changes ***
    Jul 17 15:16:37 GAFW php-fpm14422: /vpn_ipsec_phase1.php: Configuration Change: (Local Database Fallback): Saved IPsec tunnel Phase 1 configuration.
    Jul 17 15:16:37 GAFW check_reload_status1293: Syncing firewall
    Jul 17 15:16:37 GAFW php-fpm14422: /vpn_ipsec_phase1.php: Beginning configuration backup to https://acb.netgate.com/save
    Jul 17 15:16:42 GAFW check_reload_status1293: Reloading filter
    Jul 17 15:16:42 GAFW php-fpm15340: /vpn_ipsec.php: Gateway, NONE AVAILABLE
    Jul 17 15:16:42 GAFW php-fpm15340: /vpn_ipsec.php: Gateway, NONE AVAILABLE
    Jul 17 15:16:42 GAFW php-fpm15340: /vpn_ipsec.php: Gateway, NONE AVAILABLE
    Jul 17 15:16:43 GAFW check_reload_status1293: Reloading filter
    Jul 17 15:17:00 GAFW sshguard40184: Exiting on signal.
    Jul 17 15:17:00 GAFW sshguard42716: Now monitoring attacks.
    Jul 17 15:17:00 GAFW vnstatd43687: Traffic rate for "ipsec4" higher than set maximum 1000 Mbit (20s->2673868800, r4280552556 t4280550298, 64bit:0), syncing.
    Jul 17 15:17:00 GAFW vnstatd43687: Traffic rate for "ipsec3" higher than set maximum 1000 Mbit (20s->2673868800, r4280550277 t4280550121, 64bit:0), syncing.
    Jul 17 15:17:00 GAFW vnstatd43687: Traffic rate for "ipsec2" higher than set maximum 1000 Mbit (20s->2673868800, r4281414545 t4268046909, 64bit:0), syncing.
    Jul 17 15:17:00 GAFW php41381: /usr/local/sbin/acbupload.php: End of configuration backup to https://acb.netgate.com/save (success).
Actions #22

Updated by Mike Moore 7 months ago

I started a forum thread and during the discussion i realized the situation is very familiar to this redmine.

https://forum.netgate.com/topic/182231/interface-rename-causes-brief-outage/3?_=1692224596757

In that particular case, I was renaming an Interface description which impacts FRR - neighbors bounce. I didnt touch any IPsec configuration.
I placed my system log files in the forum post for analysis.

Actions #23

Updated by Jim Pingle 6 months ago

  • Plus Target Version changed from 23.09 to 24.01

We're are still working on this, but it is going to take more time to untangle this than we have for it to make this release.

Actions #24

Updated by Jim Pingle 5 months ago

  • Plus Target Version changed from 24.01 to 24.03
Actions #25

Updated by Mike Moore 4 months ago

Any updates/patches that i can apply to test?
These IPsec changes are impacting client/customer connectivity for me. Adding a new tunnel to my hub/spoke design breaks traffic flows.

Actions #26

Updated by Jim Pingle 6 days ago

  • Has duplicate Bug #15285: Adding interfaces breaks FRR routing over IPsec added
Actions #27

Updated by Jim Pingle 6 days ago

  • Plus Target Version changed from 24.03 to 24.07

No time for this release, hopefully the next.

Actions

Also available in: Atom PDF