IPsec tunnel to Android device not created even though there is an IKE SA
- by Quentin Swain
I'm trying to configure a VPN tunnel between an Android device running 4.1 and a Fedora 17 Linux box running strongSwan 5.0. The device reports that it is connected and strongSwan statusall returns that there is an IKE SA, but doesn't display a tunnel. I used the instructions for iOS in the wiki to generate certificates and configure strongSwan. Since Android uses a modified version of racoon this should work and since the connection is partly established I think I am on the right track. I don't see any errors about not being able to create the tunnel.
This is the configuration for the strongSwan connection
conn android2
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=96.244.142.28
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=serverCert.pem
right=%any
rightsubnet=10.0.0.0/24
rightsourceip=10.0.0.2
rightcert=clientCert.pem
ike=aes256-sha1-modp1024
auto=add
This is the output of strongswan statusall
Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.3.4-5.fc17.x86_64, x86_64):
uptime: 20 minutes, since Oct 31 10:27:31 2012
malloc: sbrk 270336, mmap 0, used 198144, free 72192
worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 7
loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Virtual IP pools (size/online/offline):
android-hybrid: 1/0/0
android2: 1/1/0
Listening IP addresses:
96.244.142.28
Connections:
android-hybrid: %any...%any IKEv1
android-hybrid: local: [C=CH, O=strongSwan, CN=vpn.strongswan.org] uses public key authentication
android-hybrid: cert: "C=CH, O=strongSwan, CN=vpn.strongswan.org"
android-hybrid: remote: [%any] uses XAuth authentication: any
android-hybrid: child: dynamic === dynamic TUNNEL
android2: 96.244.142.28...%any IKEv1
android2: local: [C=CH, O=strongSwan, CN=vpn.strongswan.org] uses public key authentication
android2: cert: "C=CH, O=strongSwan, CN=vpn.strongswan.org"
android2: remote: [C=CH, O=strongSwan, CN=client] uses public key authentication
android2: cert: "C=CH, O=strongSwan, CN=client"
android2: remote: [%any] uses XAuth authentication: any
android2: child: 0.0.0.0/0 === 10.0.0.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
android2[3]: ESTABLISHED 10 seconds ago, 96.244.142.28[C=CH, O=strongSwan, CN=vpn.strongswan.org]...208.54.35.241[C=CH, O=strongSwan, CN=client]
android2[3]: Remote XAuth identity: android
android2[3]: IKEv1 SPIs: 4151e371ad46b20d_i 59a56390d74792d2_r*, public key reauthentication in 56 minutes
android2[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
The output of ip -s xfrm policy
src ::/0 dst ::/0 uid 0
socket in action allow index 3851 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:29:08 use -
src ::/0 dst ::/0 uid 0
socket out action allow index 3844 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:29:08 use -
src ::/0 dst ::/0 uid 0
socket in action allow index 3835 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:29:08 use -
src ::/0 dst ::/0 uid 0
socket out action allow index 3828 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:29:08 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 3819 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:29:08 use 2012-10-31 13:29:39
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 3812 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:29:08 use 2012-10-31 13:29:22
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 3803 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:29:08 use 2012-10-31 13:29:20
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 3796 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:29:08 use 2012-10-31 13:29:20
So a xfrm policy isn't being created for the connection, even though there is an SA between device and strongswan. Executing ip -s xfrm policy on the android device results in the following output:
src 0.0.0.0/0 dst 10.0.0.2/32 uid 0
dir in action allow index 40 priority 2147483648 share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:42:08 use -
tmpl src 96.244.142.28 dst 25.239.33.30
proto esp spi 0x00000000(0) reqid 0(0x00000000) mode tunnel
level required share any
enc-mask 00000000 auth-mask 00000000 comp-mask 00000000
src 10.0.0.2/32 dst 0.0.0.0/0 uid 0
dir out action allow index 33 priority 2147483648 share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:42:08 use -
tmpl src 25.239.33.30 dst 96.244.142.28
proto esp spi 0x00000000(0) reqid 0(0x00000000) mode tunnel
level required share any
enc-mask 00000000 auth-mask 00000000 comp-mask 00000000
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 4 action allow index 28 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:42:04 use 2012-10-31 13:42:08
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 3 action allow index 19 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:42:04 use 2012-10-31 13:42:08
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 4 action allow index 12 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:42:04 use 2012-10-31 13:42:06
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 3 action allow index 3 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:42:04 use 2012-10-31 13:42:07
Logs from charon:
00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux 3.3.4-5.fc17.x86_64, x86_64)
00[KNL] listening on interfaces:
00[KNL] em1
00[KNL] 96.244.142.28
00[KNL] fe80::224:e8ff:fed2:18b2
00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=CH, O=strongSwan, CN=strongSwan CA" from '/etc/strongswan/ipsec.d/cacerts/caCert.pem'
00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
00[CFG] loaded RSA private key from '/etc/strongswan/ipsec.d/private/clientKey.pem'
00[CFG] loaded IKE secret for %any
00[CFG] loaded EAP secret for android
00[CFG] loaded EAP secret for android
00[DMN] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
08[NET] waiting for data on sockets
16[LIB] created thread 16 [15338]
16[JOB] started worker thread 16
11[CFG] received stroke: add connection 'android-hybrid'
11[CFG] conn android-hybrid
11[CFG] left=%any
11[CFG] leftsubnet=(null)
11[CFG] leftsourceip=(null)
11[CFG] leftauth=pubkey
11[CFG] leftauth2=(null)
11[CFG] leftid=(null)
11[CFG] leftid2=(null)
11[CFG] leftrsakey=(null)
11[CFG] leftcert=serverCert.pem
11[CFG] leftcert2=(null)
11[CFG] leftca=(null)
11[CFG] leftca2=(null)
11[CFG] leftgroups=(null)
11[CFG] leftupdown=ipsec _updown iptables
11[CFG] right=%any
11[CFG] rightsubnet=(null)
11[CFG] rightsourceip=96.244.142.3
11[CFG] rightauth=xauth
11[CFG] rightauth2=(null)
11[CFG] rightid=%any
11[CFG] rightid2=(null)
11[CFG] rightrsakey=(null)
11[CFG] rightcert=(null)
11[CFG] rightcert2=(null)
11[CFG] rightca=(null)
11[CFG] rightca2=(null)
11[CFG] rightgroups=(null)
11[CFG] rightupdown=(null)
11[CFG] eap_identity=(null)
11[CFG] aaa_identity=(null)
11[CFG] xauth_identity=(null)
11[CFG] ike=aes256-sha1-modp1024
11[CFG] esp=aes128-sha1-modp2048,3des-sha1-modp1536
11[CFG] dpddelay=30
11[CFG] dpdtimeout=150
11[CFG] dpdaction=0
11[CFG] closeaction=0
11[CFG] mediation=no
11[CFG] mediated_by=(null)
11[CFG] me_peerid=(null)
11[CFG] keyexchange=ikev1
11[KNL] getting interface name for %any
11[KNL] %any is not a local address
11[KNL] getting interface name for %any
11[KNL] %any is not a local address
11[CFG] left nor right host is our side, assuming left=local
11[CFG] loaded certificate "C=CH, O=strongSwan, CN=vpn.strongswan.org" from 'serverCert.pem'
11[CFG] id '%any' not confirmed by certificate, defaulting to 'C=CH, O=strongSwan, CN=vpn.strongswan.org'
11[CFG] added configuration 'android-hybrid'
11[CFG] adding virtual IP address pool 'android-hybrid': 96.244.142.3/32
13[CFG] received stroke: add connection 'android2'
13[CFG] conn android2
13[CFG] left=96.244.142.28
13[CFG] leftsubnet=0.0.0.0/0
13[CFG] leftsourceip=(null)
13[CFG] leftauth=pubkey
13[CFG] leftauth2=(null)
13[CFG] leftid=(null)
13[CFG] leftid2=(null)
13[CFG] leftrsakey=(null)
13[CFG] leftcert=serverCert.pem
13[CFG] leftcert2=(null)
13[CFG] leftca=(null)
13[CFG] leftca2=(null)
13[CFG] leftgroups=(null)
13[CFG] leftupdown=ipsec _updown iptables
13[CFG] right=%any
13[CFG] rightsubnet=10.0.0.0/24
13[CFG] rightsourceip=10.0.0.2
13[CFG] rightauth=pubkey
13[CFG] rightauth2=xauth
13[CFG] rightid=(null)
13[CFG] rightid2=(null)
13[CFG] rightrsakey=(null)
13[CFG] rightcert=clientCert.pem
13[CFG] rightcert2=(null)
13[CFG] rightca=(null)
13[CFG] rightca2=(null)
13[CFG] rightgroups=(null)
13[CFG] rightupdown=(null)
13[CFG] eap_identity=(null)
13[CFG] aaa_identity=(null)
13[CFG] xauth_identity=(null)
13[CFG] ike=aes256-sha1-modp1024
13[CFG] esp=aes128-sha1-modp2048,3des-sha1-modp1536
13[CFG] dpddelay=30
13[CFG] dpdtimeout=150
13[CFG] dpdaction=0
13[CFG] closeaction=0
13[CFG] mediation=no
13[CFG] mediated_by=(null)
13[CFG] me_peerid=(null)
13[CFG] keyexchange=ikev0
13[KNL] getting interface name for %any
13[KNL] %any is not a local address
13[KNL] getting interface name for 96.244.142.28
13[KNL] 96.244.142.28 is on interface em1
13[CFG] loaded certificate "C=CH, O=strongSwan, CN=vpn.strongswan.org" from 'serverCert.pem'
13[CFG] id '96.244.142.28' not confirmed by certificate, defaulting to 'C=CH, O=strongSwan, CN=vpn.strongswan.org'
13[CFG] loaded certificate "C=CH, O=strongSwan, CN=client" from 'clientCert.pem'
13[CFG] id '%any' not confirmed by certificate, defaulting to 'C=CH, O=strongSwan, CN=client'
13[CFG] added configuration 'android2'
13[CFG] adding virtual IP address pool 'android2': 10.0.0.2/32
08[NET] received packet: from 208.54.35.241[32235] to 96.244.142.28[500]
15[CFG] looking for an ike config for 96.244.142.28...208.54.35.241
15[CFG] candidate: %any...%any, prio 2
15[CFG] candidate: 96.244.142.28...%any, prio 5
15[CFG] found matching ike config: 96.244.142.28...%any with prio 5
01[JOB] next event in 29s 999ms, waiting
15[IKE] received NAT-T (RFC 3947) vendor ID
15[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
15[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
15[IKE] received XAuth vendor ID
15[IKE] received Cisco Unity vendor ID
15[IKE] received DPD vendor ID
15[IKE] 208.54.35.241 is initiating a Main Mode IKE_SA
15[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
15[CFG] selecting proposal:
15[CFG] proposal matches
15[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
15[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
15[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
15[NET] sending packet: from 96.244.142.28[500] to 208.54.35.241[32235]
04[NET] sending packet: from 96.244.142.28[500] to 208.54.35.241[32235]
15[MGR] checkin IKE_SA (unnamed)[1]
15[MGR] check-in of IKE_SA successful.
08[NET] received packet: from 208.54.35.241[32235] to 96.244.142.28[500]
08[NET] waiting for data on sockets
07[MGR] checkout IKE_SA by message
07[MGR] IKE_SA (unnamed)[1] successfully checked out
07[NET] received packet: from 208.54.35.241[32235] to 96.244.142.28[500]
07[LIB] size of DH secret exponent: 1023 bits
07[IKE] remote host is behind NAT
07[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
07[ENC] generating NAT_D_V1 payload finished
07[NET] sending packet: from 96.244.142.28[500] to 208.54.35.241[32235]
07[MGR] checkin IKE_SA (unnamed)[1]
07[MGR] check-in of IKE_SA successful.
04[NET] sending packet: from 96.244.142.28[500] to 208.54.35.241[32235]
08[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
10[IKE] ignoring certificate request without data
10[IKE] received end entity cert "C=CH, O=strongSwan, CN=client"
10[CFG] looking for XAuthInitRSA peer configs matching 96.244.142.28...208.54.35.241[C=CH, O=strongSwan, CN=client]
10[CFG] candidate "android-hybrid", match: 1/1/2/2 (me/other/ike/version)
10[CFG] candidate "android2", match: 1/20/5/1 (me/other/ike/version)
10[CFG] selected peer config "android2"
10[CFG] certificate "C=CH, O=strongSwan, CN=client" key: 2048 bit RSA
10[CFG] using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan CA"
10[CFG] checking certificate status of "C=CH, O=strongSwan, CN=client"
10[CFG] ocsp check skipped, no ocsp found
10[CFG] certificate status is not available
10[CFG] certificate "C=CH, O=strongSwan, CN=strongSwan CA" key: 2048 bit RSA
10[CFG] reached self-signed root ca with a path length of 0
10[CFG] using trusted certificate "C=CH, O=strongSwan, CN=client"
10[IKE] authentication of 'C=CH, O=strongSwan, CN=client' with RSA successful
10[ENC] added payload of type ID_V1 to message
10[ENC] added payload of type SIGNATURE_V1 to message
10[IKE] authentication of 'C=CH, O=strongSwan, CN=vpn.strongswan.org' (myself) successful
10[IKE] queueing XAUTH task
10[IKE] sending end entity cert "C=CH, O=strongSwan, CN=vpn.strongswan.org"
10[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
04[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
10[IKE] activating new tasks
10[IKE] activating XAUTH task
10[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
04[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
01[JOB] next event in 3s 999ms, waiting
10[MGR] checkin IKE_SA android2[1]
10[MGR] check-in of IKE_SA successful.
08[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
08[NET] waiting for data on sockets
12[MGR] checkout IKE_SA by message
12[MGR] IKE_SA android2[1] successfully checked out
12[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
12[MGR] checkin IKE_SA android2[1]
12[MGR] check-in of IKE_SA successful.
08[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
16[MGR] checkout IKE_SA by message
16[MGR] IKE_SA android2[1] successfully checked out
16[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
08[NET] waiting for data on sockets
16[IKE] XAuth authentication of 'android' successful
16[IKE] reinitiating already active tasks
16[IKE] XAUTH task
16[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
04[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
16[MGR] checkin IKE_SA android2[1]
01[JOB] next event in 3s 907ms, waiting
16[MGR] check-in of IKE_SA successful.
08[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
09[MGR] checkout IKE_SA by message
09[MGR] IKE_SA android2[1] successfully checked out
09[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500] .8rS
09[IKE] IKE_SA android2[1] established between 96.244.142.28[C=CH, O=strongSwan, CN=vpn.strongswan.org]...208.54.35.241[C=CH, O=strongSwan, CN=client]
09[IKE] IKE_SA android2[1] state change: CONNECTING => ESTABLISHED
09[IKE] scheduling reauthentication in 3409s
09[IKE] maximum IKE_SA lifetime 3589s
09[IKE] activating new tasks
09[IKE] nothing to initiate
09[MGR] checkin IKE_SA android2[1]
09[MGR] check-in of IKE_SA successful.
09[MGR] checkout IKE_SA
09[MGR] IKE_SA android2[1] successfully checked out
09[MGR] checkin IKE_SA android2[1]
09[MGR] check-in of IKE_SA successful.
01[JOB] next event in 3s 854ms, waiting
08[NET] waiting for data on sockets
08[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
14[MGR] checkout IKE_SA by message
14[MGR] IKE_SA android2[1] successfully checked out
14[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
14[IKE] processing INTERNAL_IP4_ADDRESS attribute
14[IKE] processing INTERNAL_IP4_NETMASK attribute
14[IKE] processing INTERNAL_IP4_DNS attribute
14[IKE] processing INTERNAL_IP4_NBNS attribute
14[IKE] processing UNITY_BANNER attribute
14[IKE] processing UNITY_DEF_DOMAIN attribute
14[IKE] processing UNITY_SPLITDNS_NAME attribute
14[IKE] processing UNITY_SPLIT_INCLUDE attribute
14[IKE] processing UNITY_LOCAL_LAN attribute
14[IKE] processing APPLICATION_VERSION attribute
14[IKE] peer requested virtual IP %any
14[CFG] assigning new lease to 'android'
14[IKE] assigning virtual IP 10.0.0.2 to peer 'android'
14[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
14[MGR] checkin IKE_SA android2[1]
14[MGR] check-in of IKE_SA successful.
04[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
08[NET] waiting for data on sockets
01[JOB] got event, queuing job for execution
01[JOB] next event in 91ms, waiting
13[MGR] checkout IKE_SA
13[MGR] IKE_SA android2[1] successfully checked out
13[MGR] checkin IKE_SA android2[1]
13[MGR] check-in of IKE_SA successful.
01[JOB] got event, queuing job for execution
01[JOB] next event in 24s 136ms, waiting
15[MGR] checkout IKE_SA
15[MGR] IKE_SA android2[1] successfully checked out
15[MGR] checkin IKE_SA android2[1]
15[MGR] check-in of IKE_SA successful.
