Jump to content

Странные разрывы IKEv2 соединения


Recommended Posts

Недавно пришлось перейти к другому VPN провайдеру, потому что старый перестал поддерживать L2TP/IPSec и PPTP соединения, у нового наблюдаю такую ситуацию: устанавливается соединение, например в 01:34, проходит какое-то количество времени, успешно проходит rekey в 04:25, а в 07:16, когда казалось бы должен произойти второй rekey, вместо него вижу в логе:

[I] Nov 15 07:16:38 ipsec: 08[IKE] integrity check failed
[I] Nov 15 07:16:38 ipsec: 08[IKE] CREATE_CHILD_SA request with message ID 0 processing failed
[E] Nov 15 07:16:38 ndm: IpSec::Configurator: IKE message parsing error for crypto map "IKE0".
[W] Nov 15 07:16:38 ndm: IpSec::Configurator: (possibly because of wrong pre-shared key).
[I] Nov 15 07:16:38 ndm: IpSec::CryptoMapInfo: "IKE0": crypto map active IKE SA: 0, active CHILD SA: 0.
[W] Nov 15 07:16:38 ndm: IpSec::Configurator: fallback peer is not defined for crypto map "IKE0", retry.
[I] Nov 15 07:16:38 ndm: IpSec::Configurator: "IKE0": schedule reconnect for crypto map.
[I] Nov 15 07:16:38 ndm: IpSec::Interface::Ike: "IKE0": IPsec layer is down, shutdown.

И соединение разрывается.

Полный кусок лога приведен ниже:

Скрытый текст

[I] Nov 15 01:34:25 ndm: Network::Interface::Tunnel: "IKE0": resolved destination 178.170.146.1 (de1.pointtoserver.com).
[I] Nov 15 01:34:25 ndm: Network::Interface::Ip: "IKE0": IP address cleared.
[I] Nov 15 01:34:25 ndm: Network::Interface::Tunnel: "IKE0": resolved source 93.100.188.xxx.
[I] Nov 15 01:34:25 ndm: Network::Interface::Tunnel: "IKE0": added host route to tunnel destination endpoint 178.170.146.1 via 93.100.176.1.
[I] Nov 15 01:34:25 ndm: IpSec::Interface::Ike: "IKE0": updating client IP secure configuration.
[I] Nov 15 01:34:25 ndm: IpSec::Manager: "IKE0": IP secure connection was added.
[I] Nov 15 01:34:26 ndm: Core::ConfigurationSaver: configuration saved.
[I] Nov 15 01:34:27 ndm: IpSec::Manager: create IPsec reconfiguration transaction...
[I] Nov 15 01:34:27 ndm: IpSec::Manager: "VirtualIPServer": crypto map administratively disabled, skipping.
[I] Nov 15 01:34:27 ndm: IpSec::Manager: add config for crypto map "VPNL2TPServer".
[I] Nov 15 01:34:27 ndm: IpSec::Manager: add config for crypto map "IKE0".
[I] Nov 15 01:34:27 ndm: IpSec::Manager: IPsec reconfiguration transaction was created.
[I] Nov 15 01:34:28 ndm: IpSec::Configurator: start applying IPsec configuration.
[I] Nov 15 01:34:28 ndm: IpSec::Configurator: IPsec configuration applying is done.
[I] Nov 15 01:34:28 ndm: IpSec::Configurator: start reloading IKE keys task.
[I] Nov 15 01:34:28 ipsec: 08[CFG] rereading secrets
[I] Nov 15 01:34:28 ipsec: 08[CFG] loading secrets
[I] Nov 15 01:34:28 ipsec: 08[CFG] loaded IKE secret for %any
[I] Nov 15 01:34:28 ipsec: 08[CFG] loaded IKE secret for @mykeenetic.net
[I] Nov 15 01:34:28 ipsec: 08[CFG] loaded EAP secret for purevpn0sxxxxxx
[I] Nov 15 01:34:28 ipsec: 08[CFG] loaded NTLM secret for xxxxxx
[I] Nov 15 01:34:28 ipsec: 08[CFG] rereading ca certificates from '/tmp/ipsec/ipsec.d/cacerts'
[I] Nov 15 01:34:28 ndm: IpSec::Configurator: reloading IKE keys task done.
[I] Nov 15 01:34:28 ndm: IpSec::Configurator: start reloading IPsec config task.
[I] Nov 15 01:34:28 ipsec: 14[CFG] received stroke: delete connection 'VPNL2TPServer'
[I] Nov 15 01:34:28 ipsec: 14[CFG] deleted connection 'VPNL2TPServer'
[I] Nov 15 01:34:28 ipsec: 00[DMN] signal of type SIGHUP received. Reloading configuration
[I] Nov 15 01:34:28 ipsec: 11[CFG] received stroke: add connection 'VPNL2TPServer'
[I] Nov 15 01:34:28 ipsec: 00[CFG] loaded 0 entries for attr plugin configuration
[I] Nov 15 01:34:28 ipsec: 11[CFG] added configuration 'VPNL2TPServer'
[I] Nov 15 01:34:28 ipsec: 15[CFG] received stroke: add connection 'IKE0'
[I] Nov 15 01:34:28 ipsec: 00[CFG] loaded 1 RADIUS server configuration
[I] Nov 15 01:34:28 ipsec: 15[CFG] added configuration 'IKE0'
[I] Nov 15 01:34:28 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Nov 15 01:34:28 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Nov 15 01:34:28 ndm: IpSec::Configurator: reloading IPsec config task done.
[I] Nov 15 01:34:28 ipsec: 12[CFG] received stroke: initiate 'IKE0'
[I] Nov 15 01:34:28 ndm: IpSec::Configurator: "IKE0": crypto map initialized.
[I] Nov 15 01:34:28 ipsec: 03[IKE] initiating IKE_SA IKE0[13] to 178.170.146.1
[I] Nov 15 01:34:28 ipsec: 10[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
[I] Nov 15 01:34:28 ipsec: 10[IKE] received MS-Negotiation Discovery Capable vendor ID
[I] Nov 15 01:34:28 ipsec: 10[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[I] Nov 15 01:34:28 ipsec: 10[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[I] Nov 15 01:34:28 ipsec: 10[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[I] Nov 15 01:34:28 ipsec: 10[IKE] faking NAT situation to enforce UDP encapsulation
[I] Nov 15 01:34:28 ipsec: 10[CFG] no IDi configured, fall back on IP address
[I] Nov 15 01:34:28 ipsec: 10[IKE] establishing CHILD_SA IKE0{11}
[I] Nov 15 01:34:29 ipsec: 06[IKE] received end entity cert "CN=*.pointtoserver.com"
[I] Nov 15 01:34:29 ipsec: 06[IKE] received issuer cert "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"
[I] Nov 15 01:34:29 ipsec: 06[IKE] received issuer cert "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority"
[I] Nov 15 01:34:29 ipsec: 06[CFG] using certificate "CN=*.pointtoserver.com"
[I] Nov 15 01:34:29 ipsec: 06[CFG] using untrusted intermediate certificate "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"
[I] Nov 15 01:34:29 ipsec: 06[CFG] system time out of sync, skipping certificate lifetime check
[I] Nov 15 01:34:29 ipsec: 06[CFG] using trusted ca certificate "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority"
[I] Nov 15 01:34:29 ipsec: 06[CFG] system time out of sync, skipping certificate lifetime check
[I] Nov 15 01:34:29 ipsec: 06[CFG] system time out of sync, skipping certificate lifetime check
[I] Nov 15 01:34:29 ipsec: 06[CFG] reached self-signed root ca with a path length of 1
[I] Nov 15 01:34:29 ipsec: 06[IKE] authentication of 'CN=*.pointtoserver.com' with RSA signature successful
[I] Nov 15 01:34:29 ipsec: 06[IKE] server requested EAP_IDENTITY (id 0x00), sending 'purevpn0sxxxxxx'
[I] Nov 15 01:34:29 ipsec: 11[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01)
[I] Nov 15 01:34:29 ipsec: 04[IKE] EAP-MS-CHAPv2 succeeded: '(null)'
[I] Nov 15 01:34:30 ipsec: 15[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
[I] Nov 15 01:34:30 ipsec: 15[IKE] authentication of '93.100.188.xxx' (myself) with EAP
[I] Nov 15 01:34:30 ipsec: 13[IKE] authentication of 'CN=*.pointtoserver.com' with EAP successful
[I] Nov 15 01:34:30 ipsec: 13[IKE] IKE_SA IKE0[13] established between 93.100.188.xxx[93.100.188.xxx]...178.170.146.1[CN=*.pointtoserver.com]
[I] Nov 15 01:34:30 ipsec: 13[IKE] scheduling reauthentication in 28770s
[I] Nov 15 01:34:30 ipsec: 13[IKE] maximum IKE_SA lifetime 28790s
[I] Nov 15 01:34:30 ndm: IpSec::CryptoMapInfo: "IKE0": crypto map active IKE SA: 1, active CHILD SA: 0.
[I] Nov 15 01:34:30 ipsec: 13[IKE] installing new virtual IP 178.170.146.95
[I] Nov 15 01:34:30 ipsec: 13[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA1_96/NO_EXT_SEQ
[I] Nov 15 01:34:30 ipsec: 13[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_256_128/NO_EXT_SEQ
[I] Nov 15 01:34:30 ipsec: 13[CFG] selected proposal: ESP:AES_CBC=256/HMAC_SHA1_96/NO_EXT_SEQ
[I] Nov 15 01:34:30 ipsec: 13[IKE] CHILD_SA IKE0{11} established with SPIs c15a04de_i c466b7aa_o and TS 178.170.146.95/32 === 0.0.0.0/0
[W] Nov 15 01:34:30 ndm: IpSec::Configurator: crypto map "IKE0" is up.
[I] Nov 15 01:34:30 ndm: IpSec::CryptoMapInfo: "IKE0": crypto map active IKE SA: 1, active CHILD SA: 1.
[I] Nov 15 01:34:30 ipsec: 08[CFG] rereading aa certificates from '/tmp/ipsec/ipsec.d/aacerts'
[I] Nov 15 01:34:30 ipsec: 08[CFG] rereading ocsp signer certificates from '/tmp/ipsec/ipsec.d/ocspcerts'
[I] Nov 15 01:34:30 ipsec: 08[CFG] rereading attribute certificates from '/tmp/ipsec/ipsec.d/acerts'
[I] Nov 15 01:34:30 ipsec: 08[CFG] rereading crls from '/tmp/ipsec/ipsec.d/crls'
[I] Nov 15 01:34:30 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Nov 15 01:34:30 ndm: IpSec::Interface::Ike: "IKE0": IPsec client layer is up.
[I] Nov 15 01:34:30 ndm: Network::Interface::Ip: "IKE0": IP address is 178.170.146.95/32.
[I] Nov 15 01:34:30 ndm: IpSec::Interface::Ike: "IKE0": adding nameserver 178.170.146.3.
[I] Nov 15 01:34:30 ndm: Dns::Manager: name server 178.170.146.3 added, domain (default).
[I] Nov 15 01:34:30 ndm: IpSec::Interface::Ike: "IKE0": add route to nameserver 178.170.146.3 via IKE0.
[I] Nov 15 01:34:30 ndm: IpSec::Interface::Ike: "IKE0": interface "IKE0" is global, priority 61481.
[I] Nov 15 01:34:30 ndm: IpSec::Interface::Ike: "IKE0": adding default route via IKE0.
[I] Nov 15 01:34:30 ndm: IpSec::Interface::Ike: "IKE0": secured tunnel is ready.
[I] Nov 15 01:34:30 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Nov 15 01:34:30 coalagent: updating configuration...
[I] Nov 15 01:34:31 ndm: Network::InterfaceFlusher: flushed GigabitEthernet1 conntrack and route cache.
[I] Nov 15 01:34:31 ndm: Http::Nginx: loaded SSL certificate for "xxx.keenetic.io".
[I] Nov 15 01:34:31 ndm: Http::Nginx: loaded SSL certificate for "xxx.keenetic.pro".
[I] Nov 15 01:34:31 ndm: Http::Nginx: activated proxy modem.xxx.keenetic.pro to http://192.168.99.1:80.
[I] Nov 15 01:34:32 ndm: Core::Server: started Session /var/run/ndm.core.socket.
[I] Nov 15 01:34:32 ndm: Core::Session: client disconnected.
[I] Nov 15 01:34:32 ndm: Http::Manager: updated configuration.
[I] Nov 15 01:34:32 ndm: Core::Server: started Session /var/run/ndm.core.socket.
[I] Nov 15 01:34:32 ndm: Dns::Manager: deleted record "xxx.keenetic.pro", address 78.47.125.180.
[I] Nov 15 01:34:32 ndm: Dns::Manager: added static record for "xxx.keenetic.pro", address 78.47.125.180.
[I] Nov 15 01:34:32 ndm: Core::Session: client disconnected.
[I] Nov 15 01:34:33 ndm: IpSec::Manager: create IPsec reconfiguration transaction...
[I] Nov 15 01:34:33 ndm: IpSec::Manager: "VirtualIPServer": crypto map administratively disabled, skipping.
[I] Nov 15 01:34:33 ndm: IpSec::Manager: add config for crypto map "VPNL2TPServer".
[I] Nov 15 01:34:33 ndm: IpSec::Manager: add config for crypto map "IKE0".
[I] Nov 15 01:34:33 ndm: IpSec::Manager: IPsec reconfiguration transaction was created.
[I] Nov 15 01:34:33 ndm: IpSec::Configurator: start applying IPsec configuration.
[I] Nov 15 01:34:33 ndm: IpSec::Configurator: IPsec configuration applying is done.
[I] Nov 15 01:34:33 ndm: IpSec::Configurator: start reloading IPsec config task.
[I] Nov 15 01:34:33 ipsec: 11[CFG] received stroke: delete connection 'VPNL2TPServer'
[I] Nov 15 01:34:33 ipsec: 11[CFG] deleted connection 'VPNL2TPServer'
[I] Nov 15 01:34:33 ipsec: 12[CFG] received stroke: delete connection 'IKE0'
[I] Nov 15 01:34:33 ipsec: 12[CFG] deleted connection 'IKE0'
[I] Nov 15 01:34:33 ipsec: 00[DMN] signal of type SIGHUP received. Reloading configuration
[I] Nov 15 01:34:33 ipsec: 13[CFG] received stroke: add connection 'VPNL2TPServer'
[I] Nov 15 01:34:33 ipsec: 00[CFG] loaded 0 entries for attr plugin configuration
[I] Nov 15 01:34:33 ipsec: 00[CFG] loaded 1 RADIUS server configuration
[I] Nov 15 01:34:33 ipsec: 13[CFG] added configuration 'VPNL2TPServer'
[I] Nov 15 01:34:33 ipsec: 08[CFG] received stroke: add connection 'IKE0'
[I] Nov 15 01:34:33 ipsec: 08[CFG] added configuration 'IKE0'
[I] Nov 15 01:34:33 ndm: IpSec::Configurator: reloading IPsec config task done.
[I] Nov 15 01:34:33 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Nov 15 01:34:33 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Nov 15 01:34:38 coalagent: updating configuration...
[I] Nov 15 01:34:48 ndm: Core::System::Clock: system time has been changed.
[I] Nov 15 01:34:48 ndm: Ntp::Client: time synchronized with "time.google.com".
[I] Nov 15 01:54:04 ndm: Netfilter::Util::Conntrack: flushed 1 IPv4 connections for 192.168.1.57.
[I] Nov 15 01:54:16 coalagent: updating configuration...
[I] Nov 15 01:57:46 ndhcpc: GigabitEthernet1: received ACK for 93.100.188.xxx from 93.100.176.1 lease 3600 sec.
[I] Nov 15 02:09:43 ndm: Netfilter::Util::Conntrack: flushed 7 IPv4 connections for 192.168.1.84.
[I] Nov 15 02:10:14 coalagent: updating configuration...
[I] Nov 15 02:27:47 ndhcpc: GigabitEthernet1: received ACK for 93.100.188.xxx from 93.100.176.1 lease 3600 sec.
[I] Nov 15 02:34:48 ndm: Core::System::Clock: system time has been changed.
[I] Nov 15 02:34:48 ndm: Ntp::Client: time synchronized with "time.google.com".
[I] Nov 15 02:57:47 ndhcpc: GigabitEthernet1: received ACK for 93.100.188.xxx from 93.100.176.1 lease 3600 sec.
[I] Nov 15 03:27:47 ndhcpc: GigabitEthernet1: received ACK for 93.100.188.xxx from 93.100.176.1 lease 3600 sec.
[I] Nov 15 03:34:48 ndm: Core::System::Clock: system time has been changed.
[I] Nov 15 03:34:48 ndm: Ntp::Client: time synchronized with "time.google.com".
[I] Nov 15 03:57:47 ndhcpc: GigabitEthernet1: received ACK for 93.100.188.xxx from 93.100.176.1 lease 3600 sec.
[I] Nov 15 04:25:38 ipsec: 13[IKE] 178.170.146.1 is initiating an IKE_SA
[I] Nov 15 04:25:38 ipsec: 13[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC=192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
[I] Nov 15 04:25:38 ipsec: 13[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[I] Nov 15 04:25:38 ipsec: 13[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
[I] Nov 15 04:25:39 ipsec: 13[IKE] scheduling reauthentication in 28770s
[I] Nov 15 04:25:39 ipsec: 13[IKE] maximum IKE_SA lifetime 28790s
[I] Nov 15 04:25:39 ipsec: 13[IKE] IKE_SA IKE0[14] rekeyed between 93.100.188.xxx[93.100.188.xxx]...178.170.146.1[CN=*.pointtoserver.com]
[I] Nov 15 04:25:39 ipsec: 13[IKE] rescheduling reauthentication in 18501s after rekeying, lifetime reduced to 18521s
[I] Nov 15 04:25:39 ipsec: 07[IKE] received DELETE for IKE_SA IKE0[13]
[I] Nov 15 04:25:39 ipsec: 07[IKE] deleting IKE_SA IKE0[13] between 93.100.188.xxx[93.100.188.xxx]...178.170.146.1[CN=*.pointtoserver.com]
[I] Nov 15 04:25:39 ipsec: 07[IKE] IKE_SA deleted
[I] Nov 15 04:27:47 ndhcpc: GigabitEthernet1: received ACK for 93.100.188.xxx from 93.100.176.1 lease 3600 sec.
[I] Nov 15 04:34:48 ndm: Core::System::Clock: system time has been changed.
[I] Nov 15 04:34:48 ndm: Ntp::Client: time synchronized with "time.google.com".
[I] Nov 15 04:57:47 ndhcpc: GigabitEthernet1: received ACK for 93.100.188.xxx from 93.100.176.1 lease 3600 sec.
[I] Nov 15 05:27:47 ndhcpc: GigabitEthernet1: received ACK for 93.100.188.xxx from 93.100.176.1 lease 3600 sec.
[I] Nov 15 05:32:22 ndm: Netfilter::Util::Conntrack: flushed 4 IPv4 connections for 192.168.1.84.
[I] Nov 15 05:34:48 ndm: Core::System::Clock: system time has been changed.
[I] Nov 15 05:34:48 ndm: Ntp::Client: time synchronized with "time.google.com".
[I] Nov 15 05:57:47 ndhcpc: GigabitEthernet1: received ACK for 93.100.188.xxx from 93.100.176.1 lease 3600 sec.
[I] Nov 15 06:27:47 ndhcpc: GigabitEthernet1: received ACK for 93.100.188.xxx from 93.100.176.1 lease 3600 sec.
[I] Nov 15 06:34:48 ndm: Core::System::Clock: system time has been changed.
[I] Nov 15 06:34:48 ndm: Ntp::Client: time synchronized with "time.google.com".
[I] Nov 15 06:52:09 ndm: Netfilter::Util::Conntrack: flushed 2 IPv4 connections for 192.168.1.57.
[I] Nov 15 06:52:49 coalagent: updating configuration...
[I] Nov 15 06:57:47 ndhcpc: GigabitEthernet1: received ACK for 93.100.188.xxx from 93.100.176.1 lease 3600 sec.
[I] Nov 15 07:16:38 ipsec: 08[IKE] integrity check failed
[I] Nov 15 07:16:38 ipsec: 08[IKE] CREATE_CHILD_SA request with message ID 0 processing failed
[E] Nov 15 07:16:38 ndm: IpSec::Configurator: IKE message parsing error for crypto map "IKE0".
[W] Nov 15 07:16:38 ndm: IpSec::Configurator: (possibly because of wrong pre-shared key).
[I] Nov 15 07:16:38 ndm: IpSec::CryptoMapInfo: "IKE0": crypto map active IKE SA: 0, active CHILD SA: 0.
[W] Nov 15 07:16:38 ndm: IpSec::Configurator: fallback peer is not defined for crypto map "IKE0", retry.
[I] Nov 15 07:16:38 ndm: IpSec::Configurator: "IKE0": schedule reconnect for crypto map.
[I] Nov 15 07:16:38 ndm: IpSec::Interface::Ike: "IKE0": IPsec layer is down, shutdown.
[I] Nov 15 07:16:38 ndm: Network::Interface::Ip: "IKE0": IP address cleared.
[I] Nov 15 07:16:38 ndm: IpSec::Manager: "IKE0": IP secure connection and keys was deleted.
[I] Nov 15 07:16:38 ndm: Network::InterfaceFlusher: flushed IKE0 conntrack and route cache.
[I] Nov 15 07:16:39 ndm: Http::Nginx: loaded SSL certificate for "xxx.keenetic.io".
[I] Nov 15 07:16:39 ndm: Http::Nginx: loaded SSL certificate for "xxx.keenetic.pro".
[I] Nov 15 07:16:39 ipsec: 10[IKE] integrity check failed
[I] Nov 15 07:16:39 ipsec: 10[IKE] CREATE_CHILD_SA request with message ID 0 processing failed
[I] Nov 15 07:16:39 ndm: Http::Nginx: activated proxy modem.xxx.keenetic.pro to http://192.168.99.1:80.
[E] Nov 15 07:16:39 ndm: IpSec::Configurator: IKE message parsing error for crypto map "IKE0".
[W] Nov 15 07:16:39 ndm: IpSec::Configurator: (possibly because of wrong pre-shared key).
[I] Nov 15 07:16:39 ndm: IpSec::CryptoMapInfo: "IKE0": crypto map active IKE SA: 0, active CHILD SA: 0.
[W] Nov 15 07:16:39 ndm: IpSec::Configurator: fallback peer is not defined for crypto map "IKE0", retry.
[I] Nov 15 07:16:39 ndm: IpSec::Configurator: "IKE0": schedule reconnect for crypto map.
[I] Nov 15 07:16:39 ndm: Core::Server: started Session /var/run/ndm.core.socket.
[I] Nov 15 07:16:39 ndm: Core::Session: client disconnected.
[I] Nov 15 07:16:39 ndm: Http::Manager: updated configuration.
[I] Nov 15 07:16:39 ndm: IpSec::Interface::Ike: "IKE0": IPsec layer is down, shutdown.
[I] Nov 15 07:16:39 ndm: Network::Interface::Ip: "IKE0": IP address cleared.
[I] Nov 15 07:16:39 ndm: Core::Server: started Session /var/run/ndm.core.socket.
[I] Nov 15 07:16:39 ndm: Core::Session: client disconnected.
[I] Nov 15 07:16:40 ipsec: 15[IKE] integrity check failed
[I] Nov 15 07:16:40 ipsec: 15[IKE] CREATE_CHILD_SA request with message ID 0 processing failed
[E] Nov 15 07:16:40 ndm: IpSec::Configurator: IKE message parsing error for crypto map "IKE0".
[W] Nov 15 07:16:40 ndm: IpSec::Configurator: (possibly because of wrong pre-shared key).
[I] Nov 15 07:16:40 ndm: IpSec::CryptoMapInfo: "IKE0": crypto map active IKE SA: 0, active CHILD SA: 0.
[W] Nov 15 07:16:40 ndm: IpSec::Configurator: fallback peer is not defined for crypto map "IKE0", retry.
[I] Nov 15 07:16:40 ndm: IpSec::Interface::Ike: "IKE0": IPsec layer is down, shutdown.
[I] Nov 15 07:16:40 ndm: IpSec::Configurator: "IKE0": schedule reconnect for crypto map.
[I] Nov 15 07:16:40 ndm: Network::Interface::Ip: "IKE0": IP address cleared.
[I] Nov 15 07:16:40 ndm: IpSec::Manager: create IPsec reconfiguration transaction...
[I] Nov 15 07:16:40 ndm: IpSec::Manager: "VirtualIPServer": crypto map administratively disabled, skipping.
[I] Nov 15 07:16:40 ndm: IpSec::Manager: add config for crypto map "VPNL2TPServer".
[I] Nov 15 07:16:40 ndm: IpSec::Manager: IPsec reconfiguration transaction was created.
[I] Nov 15 07:16:40 ndm: IpSec::Configurator: start applying IPsec configuration.
[I] Nov 15 07:16:40 ndm: IpSec::Configurator: IPsec configuration applying is done.
[I] Nov 15 07:16:40 ndm: IpSec::Configurator: start reloading IKE keys task.
[I] Nov 15 07:16:40 ipsec: 04[CFG] rereading secrets
[I] Nov 15 07:16:40 ipsec: 04[CFG] loading secrets
[I] Nov 15 07:16:40 ipsec: 04[CFG] loaded IKE secret for %any
[I] Nov 15 07:16:40 ipsec: 04[CFG] loaded IKE secret for @mykeenetic.net
[I] Nov 15 07:16:40 ipsec: 04[CFG] loaded NTLM secret for xxx
[I] Nov 15 07:16:40 ndm: IpSec::Configurator: reloading IKE keys task done.
[I] Nov 15 07:16:40 ipsec: 04[CFG] rereading ca certificates from '/tmp/ipsec/ipsec.d/cacerts'
[I] Nov 15 07:16:40 ndm: IpSec::Configurator: start reloading IPsec config task.
[I] Nov 15 07:16:40 ipsec: 13[CFG] received stroke: delete connection 'VPNL2TPServer'
[I] Nov 15 07:16:40 ipsec: 13[CFG] deleted connection 'VPNL2TPServer'
[I] Nov 15 07:16:40 ipsec: 07[CFG] received stroke: delete connection 'IKE0'
[I] Nov 15 07:16:40 ipsec: 07[CFG] deleted connection 'IKE0'
[I] Nov 15 07:16:41 ipsec: 00[DMN] signal of type SIGHUP received. Reloading configuration
[I] Nov 15 07:16:41 ipsec: 11[CFG] received stroke: add connection 'VPNL2TPServer'
[I] Nov 15 07:16:41 ipsec: 00[CFG] loaded 0 entries for attr plugin configuration
[I] Nov 15 07:16:41 ipsec: 11[CFG] added configuration 'VPNL2TPServer'
[I] Nov 15 07:16:41 ipsec: 00[CFG] loaded 1 RADIUS server configuration
[I] Nov 15 07:16:41 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Nov 15 07:16:41 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Nov 15 07:16:41 ndm: IpSec::Configurator: reloading IPsec config task done.
[I] Nov 15 07:16:41 ndm: IpSec::Configurator: crypto map "IKE0" shutdown started.
[I] Nov 15 07:16:41 ipsec: 09[CFG] received stroke: unroute 'IKE0'
[I] Nov 15 07:16:41 ipsec: 12[CFG] received stroke: terminate 'IKE0{*}'
[I] Nov 15 07:16:41 ipsec: 03[IKE] closing CHILD_SA IKE0{11} with SPIs c15a04de_i (807197010 bytes) c466b7aa_o (224120198 bytes) and TS 178.170.146.95/32 === 0.0.0.0/0
[I] Nov 15 07:16:41 ipsec: 03[IKE] sending DELETE for ESP CHILD_SA with SPI c15a04de
[I] Nov 15 07:16:41 ipsec: 06[CFG] received stroke: terminate 'IKE0[*]'
[I] Nov 15 07:16:41 ndm: IpSec::Configurator: crypto map "IKE0" shutdown complete.
[I] Nov 15 07:16:43 ipsec: 04[CFG] rereading aa certificates from '/tmp/ipsec/ipsec.d/aacerts'
[I] Nov 15 07:16:43 ipsec: 04[CFG] rereading ocsp signer certificates from '/tmp/ipsec/ipsec.d/ocspcerts'
[I] Nov 15 07:16:43 ipsec: 04[CFG] rereading attribute certificates from '/tmp/ipsec/ipsec.d/acerts'
[I] Nov 15 07:16:43 ipsec: 04[CFG] rereading crls from '/tmp/ipsec/ipsec.d/crls'
[I] Nov 15 07:16:43 ipsec: 13[IKE] integrity check failed
[I] Nov 15 07:16:43 ipsec: 13[IKE] CREATE_CHILD_SA request with message ID 0 processing failed
[I] Nov 15 07:16:43 ndm: IpSec::Interface::Ike: "IKE0": secure tunnel is down: retry to resolve remote endpoint.
[I] Nov 15 07:16:45 ndm: Network::Interface::Tunnel: "IKE0": resolved destination 172.94.13.1 (de1.pointtoserver.com).
[I] Nov 15 07:16:45 ndm: Network::Interface::Ip: "IKE0": IP address cleared.
[I] Nov 15 07:16:45 ndm: Network::Interface::Tunnel: "IKE0": resolved source 93.100.188.xxx.
[I] Nov 15 07:16:46 ndm: Network::Interface::Tunnel: "IKE0": added host route to tunnel destination endpoint 172.94.13.1 via 93.100.176.1.
[I] Nov 15 07:16:46 ndm: IpSec::Manager: "IKE0": IP secure connection was added.
[I] Nov 15 07:16:46 ndm: IpSec::Interface::Ike: "IKE0": updating client IP secure configuration.
[I] Nov 15 07:16:48 ndm: IpSec::Manager: create IPsec reconfiguration transaction...
[I] Nov 15 07:16:48 ndm: IpSec::Manager: "VirtualIPServer": crypto map administratively disabled, skipping.
[I] Nov 15 07:16:48 ndm: IpSec::Manager: add config for crypto map "VPNL2TPServer".
[I] Nov 15 07:16:48 ndm: IpSec::Manager: add config for crypto map "IKE0".
[I] Nov 15 07:16:48 ndm: IpSec::Manager: IPsec reconfiguration transaction was created.
[I] Nov 15 07:16:48 ndm: IpSec::Configurator: start applying IPsec configuration.
[I] Nov 15 07:16:48 ndm: IpSec::Configurator: IPsec configuration applying is done.
[I] Nov 15 07:16:48 ndm: IpSec::Configurator: start reloading IKE keys task.
[I] Nov 15 07:16:48 ipsec: 11[CFG] rereading secrets
[I] Nov 15 07:16:48 ipsec: 11[CFG] loading secrets
[I] Nov 15 07:16:48 ipsec: 11[CFG] loaded IKE secret for %any
[I] Nov 15 07:16:48 ipsec: 11[CFG] loaded IKE secret for @mykeenetic.net
[I] Nov 15 07:16:48 ndm: IpSec::Configurator: reloading IKE keys task done.
[I] Nov 15 07:16:48 ipsec: 11[CFG] loaded EAP secret for purevpn0sxxxxxx
[I] Nov 15 07:16:48 ipsec: 11[CFG] loaded NTLM secret for xxx
[I] Nov 15 07:16:48 ipsec: 11[CFG] rereading ca certificates from '/tmp/ipsec/ipsec.d/cacerts'
[I] Nov 15 07:16:48 ndm: IpSec::Configurator: start reloading IPsec config task.
[I] Nov 15 07:16:48 ipsec: 14[CFG] received stroke: delete connection 'VPNL2TPServer'
[I] Nov 15 07:16:48 ipsec: 14[CFG] deleted connection 'VPNL2TPServer'
[I] Nov 15 07:16:48 ipsec: 00[DMN] signal of type SIGHUP received. Reloading configuration
[I] Nov 15 07:16:48 ipsec: 08[CFG] received stroke: add connection 'VPNL2TPServer'
[I] Nov 15 07:16:48 ipsec: 00[CFG] loaded 0 entries for attr plugin configuration
[I] Nov 15 07:16:48 ipsec: 08[CFG] added configuration 'VPNL2TPServer'
[I] Nov 15 07:16:48 ipsec: 00[CFG] loaded 1 RADIUS server configuration
[I] Nov 15 07:16:48 ipsec: 03[CFG] received stroke: add connection 'IKE0'
[I] Nov 15 07:16:48 ipsec: 03[CFG] added configuration 'IKE0'
[I] Nov 15 07:16:48 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Nov 15 07:16:48 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Nov 15 07:16:48 ndm: IpSec::Configurator: reloading IPsec config task done.
[I] Nov 15 07:16:48 ipsec: 07[CFG] received stroke: initiate 'IKE0'
[I] Nov 15 07:16:48 ndm: IpSec::Configurator: "IKE0": crypto map initialized.
[I] Nov 15 07:16:48 ipsec: 15[IKE] initiating IKE_SA IKE0[15] to 172.94.13.1
[I] Nov 15 07:16:48 ipsec: 08[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
[I] Nov 15 07:16:48 ipsec: 08[IKE] received MS-Negotiation Discovery Capable vendor ID
[I] Nov 15 07:16:48 ipsec: 08[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[I] Nov 15 07:16:48 ipsec: 08[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[I] Nov 15 07:16:48 ipsec: 08[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[I] Nov 15 07:16:48 ipsec: 08[IKE] faking NAT situation to enforce UDP encapsulation
[I] Nov 15 07:16:48 ipsec: 08[CFG] no IDi configured, fall back on IP address
[I] Nov 15 07:16:48 ipsec: 08[IKE] establishing CHILD_SA IKE0{12}
[I] Nov 15 07:16:49 ipsec: 03[IKE] retransmit 1 of request with message ID 0
[I] Nov 15 07:16:50 ipsec: 11[CFG] rereading aa certificates from '/tmp/ipsec/ipsec.d/aacerts'
[I] Nov 15 07:16:50 ipsec: 11[CFG] rereading ocsp signer certificates from '/tmp/ipsec/ipsec.d/ocspcerts'
[I] Nov 15 07:16:50 ipsec: 11[CFG] rereading attribute certificates from '/tmp/ipsec/ipsec.d/acerts'
[I] Nov 15 07:16:50 ipsec: 11[CFG] rereading crls from '/tmp/ipsec/ipsec.d/crls'
[I] Nov 15 07:16:50 ipsec: 08[IKE] integrity check failed
[I] Nov 15 07:16:50 ipsec: 08[IKE] CREATE_CHILD_SA request with message ID 0 processing failed
[E] Nov 15 07:16:50 ndm: IpSec::Configurator: IKE message parsing error for crypto map "IKE0".
[W] Nov 15 07:16:50 ndm: IpSec::Configurator: (possibly because of wrong pre-shared key).
[I] Nov 15 07:16:50 ndm: IpSec::CryptoMapInfo: "IKE0": crypto map active IKE SA: 0, active CHILD SA: 0.
[W] Nov 15 07:16:50 ndm: IpSec::Configurator: fallback peer is not defined for crypto map "IKE0", retry.
[I] Nov 15 07:16:50 ndm: IpSec::Configurator: "IKE0": schedule reconnect for crypto map.
[I] Nov 15 07:16:50 ndm: IpSec::Interface::Ike: "IKE0": IPsec layer is down, shutdown.
[I] Nov 15 07:16:50 ndm: Network::Interface::Ip: "IKE0": IP address cleared.
[I] Nov 15 07:16:50 ndm: IpSec::Manager: "IKE0": IP secure connection and keys was deleted.
[I] Nov 15 07:16:50 ipsec: 11[IKE] received end entity cert "CN=*.pointtoserver.com"
[I] Nov 15 07:16:50 ipsec: 11[IKE] received issuer cert "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"
[I] Nov 15 07:16:50 ipsec: 11[CFG] using certificate "CN=*.pointtoserver.com"
[I] Nov 15 07:16:50 ipsec: 11[CFG] using untrusted intermediate certificate "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"
[I] Nov 15 07:16:50 ipsec: 11[CFG] system time out of sync, skipping certificate lifetime check
[I] Nov 15 07:16:50 ipsec: 11[CFG] using trusted ca certificate "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority"
[I] Nov 15 07:16:50 ipsec: 11[CFG] system time out of sync, skipping certificate lifetime check
[I] Nov 15 07:16:50 ipsec: 11[CFG] system time out of sync, skipping certificate lifetime check
[I] Nov 15 07:16:50 ipsec: 11[CFG] reached self-signed root ca with a path length of 1
[I] Nov 15 07:16:50 ipsec: 11[IKE] authentication of 'CN=*.pointtoserver.com' with RSA signature successful
[I] Nov 15 07:16:50 ipsec: 11[IKE] server requested EAP_IDENTITY (id 0x00), sending 'purevpn0sxxxxxx'
[I] Nov 15 07:16:50 ipsec: 11[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01)
[I] Nov 15 07:16:50 ipsec: 11[IKE] EAP-MS-CHAPv2 succeeded: '(null)'
[I] Nov 15 07:16:51 ipsec: 03[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
[I] Nov 15 07:16:51 ipsec: 03[IKE] authentication of '93.100.188.xxx' (myself) with EAP
[I] Nov 15 07:16:51 ipsec: 14[IKE] authentication of 'CN=*.pointtoserver.com' with EAP successful
[I] Nov 15 07:16:51 ipsec: 14[IKE] IKE_SA IKE0[15] established between 93.100.188.xxx[93.100.188.xxx]...172.94.13.1[CN=*.pointtoserver.com]
[I] Nov 15 07:16:51 ipsec: 14[IKE] scheduling reauthentication in 28768s
[I] Nov 15 07:16:51 ipsec: 14[IKE] maximum IKE_SA lifetime 28788s
[I] Nov 15 07:16:51 ndm: IpSec::CryptoMapInfo: "IKE0": crypto map active IKE SA: 1, active CHILD SA: 0.
[I] Nov 15 07:16:51 ipsec: 14[IKE] installing new virtual IP 172.94.13.59
[I] Nov 15 07:16:51 ipsec: 14[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA1_96/NO_EXT_SEQ
[I] Nov 15 07:16:51 ipsec: 14[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_256_128/NO_EXT_SEQ
[I] Nov 15 07:16:51 ipsec: 14[CFG] selected proposal: ESP:AES_CBC=256/HMAC_SHA1_96/NO_EXT_SEQ
[I] Nov 15 07:16:51 ipsec: 14[IKE] CHILD_SA IKE0{12} established with SPIs caf5bd1b_i 93d1e7d4_o and TS 172.94.13.59/32 === 0.0.0.0/0
[W] Nov 15 07:16:51 ndm: IpSec::Configurator: crypto map "IKE0" is up.
[I] Nov 15 07:16:51 ndm: IpSec::Configurator: reconnection for crypto map "IKE0" was cancelled.
[I] Nov 15 07:16:51 ndm: IpSec::CryptoMapInfo: "IKE0": crypto map active IKE SA: 1, active CHILD SA: 1.
[I] Nov 15 07:16:51 ndm: IpSec::Interface::Ike: "IKE0": IPsec client layer is up.
[I] Nov 15 07:16:51 ndm: Network::Interface::Ip: "IKE0": IP address is 172.94.13.59/32.
[I] Nov 15 07:16:51 ndm: IpSec::Interface::Ike: "IKE0": adding nameserver 172.94.13.3.
[I] Nov 15 07:16:51 ndm: Dns::Manager: name server 172.94.13.3 added, domain (default).
[I] Nov 15 07:16:51 ndm: IpSec::Interface::Ike: "IKE0": add route to nameserver 172.94.13.3 via IKE0.
[I] Nov 15 07:16:51 ndm: IpSec::Interface::Ike: "IKE0": interface "IKE0" is global, priority 61481.
[I] Nov 15 07:16:51 ndm: IpSec::Interface::Ike: "IKE0": adding default route via IKE0.
[I] Nov 15 07:16:51 ndm: IpSec::Interface::Ike: "IKE0": secured tunnel is ready.
[I] Nov 15 07:16:51 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[W] Nov 15 07:16:51 kernel: nikecli0: Local routing loop detected!
[I] Nov 15 07:16:51 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[W] Nov 15 07:16:51 kernel: nikecli0: Local routing loop detected!
[I] Nov 15 07:16:52 ndm: Network::InterfaceFlusher: flushed GigabitEthernet1 conntrack and route cache.
[W] Nov 15 07:16:52 kernel: nikecli0: Local routing loop detected!
[I] Nov 15 07:16:52 ndm: Http::Nginx: loaded SSL certificate for "xxx.keenetic.io".
[I] Nov 15 07:16:52 ndm: Http::Nginx: loaded SSL certificate for "xxx.keenetic.pro".
[I] Nov 15 07:16:52 ndm: Http::Nginx: activated proxy modem.xxx.keenetic.pro to http://192.168.99.1:80.
[I] Nov 15 07:16:52 ndm: Core::Server: started Session /var/run/ndm.core.socket.
[I] Nov 15 07:16:52 ndm: Core::Session: client disconnected.
[I] Nov 15 07:16:52 ndm: Http::Manager: updated configuration.
[I] Nov 15 07:16:52 ndm: Core::Server: started Session /var/run/ndm.core.socket.
[I] Nov 15 07:16:52 ndm: Core::Session: client disconnected.
[I] Nov 15 07:16:54 ndm: IpSec::Manager: create IPsec reconfiguration transaction...
[I] Nov 15 07:16:54 ndm: IpSec::Manager: "VirtualIPServer": crypto map administratively disabled, skipping.
[I] Nov 15 07:16:54 ndm: IpSec::Manager: add config for crypto map "VPNL2TPServer".
[I] Nov 15 07:16:54 ndm: IpSec::Manager: IPsec reconfiguration transaction was created.
[I] Nov 15 07:16:54 ndm: IpSec::Configurator: start applying IPsec configuration.
[I] Nov 15 07:16:54 ndm: IpSec::Configurator: IPsec configuration applying is done.
[I] Nov 15 07:16:54 ndm: IpSec::Configurator: start reloading IKE keys task.
[I] Nov 15 07:16:54 ndm: IpSec::Interface::Ike: "IKE0": IPsec layer is down, shutdown.
[I] Nov 15 07:16:54 ipsec: 08[CFG] rereading secrets
[I] Nov 15 07:16:54 ipsec: 08[CFG] loading secrets
[I] Nov 15 07:16:54 ipsec: 08[CFG] loaded IKE secret for %any
[I] Nov 15 07:16:54 ipsec: 08[CFG] loaded IKE secret for @mykeenetic.net
[I] Nov 15 07:16:54 ipsec: 08[CFG] loaded NTLM secret for xxxxxx
[I] Nov 15 07:16:54 ndm: IpSec::Configurator: reloading IKE keys task done.
[I] Nov 15 07:16:54 ipsec: 08[CFG] rereading ca certificates from '/tmp/ipsec/ipsec.d/cacerts'
[I] Nov 15 07:16:54 ndm: Network::Interface::Ip: "IKE0": IP address cleared.
[I] Nov 15 07:16:54 ndm: IpSec::Configurator: start reloading IPsec config task.
[I] Nov 15 07:16:54 ipsec: 11[CFG] received stroke: delete connection 'VPNL2TPServer'
[I] Nov 15 07:16:54 ipsec: 11[CFG] deleted connection 'VPNL2TPServer'
[I] Nov 15 07:16:54 ipsec: 09[CFG] received stroke: delete connection 'IKE0'
[I] Nov 15 07:16:54 ipsec: 09[CFG] deleted connection 'IKE0'
[I] Nov 15 07:16:54 ipsec: 00[DMN] signal of type SIGHUP received. Reloading configuration
[I] Nov 15 07:16:54 ipsec: 13[CFG] received stroke: add connection 'VPNL2TPServer'
[I] Nov 15 07:16:54 ipsec: 00[CFG] loaded 0 entries for attr plugin configuration
[I] Nov 15 07:16:54 ipsec: 00[CFG] loaded 1 RADIUS server configuration
[I] Nov 15 07:16:54 ipsec: 13[CFG] added configuration 'VPNL2TPServer'
[I] Nov 15 07:16:54 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Nov 15 07:16:54 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Nov 15 07:16:54 ndm: IpSec::Configurator: reloading IPsec config task done.
[I] Nov 15 07:16:54 ndm: Network::InterfaceFlusher: flushed IKE0 conntrack and route cache.
[I] Nov 15 07:16:54 ndm: IpSec::Configurator: crypto map "IKE0" shutdown started.
[I] Nov 15 07:16:54 ipsec: 07[CFG] received stroke: unroute 'IKE0'
[I] Nov 15 07:16:54 ipsec: 11[CFG] received stroke: terminate 'IKE0{*}'
[I] Nov 15 07:16:54 ipsec: 04[IKE] closing CHILD_SA IKE0{12} with SPIs caf5bd1b_i (12618 bytes) 93d1e7d4_o (5322 bytes) and TS 172.94.13.59/32 === 0.0.0.0/0
[I] Nov 15 07:16:54 ipsec: 04[IKE] sending DELETE for ESP CHILD_SA with SPI caf5bd1b
[I] Nov 15 07:16:54 ipsec: 09[IKE] received DELETE for ESP CHILD_SA with SPI 93d1e7d4
[I] Nov 15 07:16:54 ipsec: 09[IKE] CHILD_SA closed
[I] Nov 15 07:16:54 ndm: IpSec::Configurator: crypto map "IKE0" shutdown complete.
[I] Nov 15 07:16:55 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Nov 15 07:16:55 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Nov 15 07:16:55 ndm: Http::Nginx: loaded SSL certificate for "xxx.keenetic.io".
[I] Nov 15 07:16:55 ndm: Http::Nginx: loaded SSL certificate for "xxx.keenetic.pro".
[I] Nov 15 07:16:55 ndm: Http::Nginx: activated proxy modem.xxx.keenetic.pro to http://192.168.99.1:80.
[I] Nov 15 07:16:55 ndm: Core::Server: started Session /var/run/ndm.core.socket.
[I] Nov 15 07:16:55 ndm: Core::Session: client disconnected.
[I] Nov 15 07:16:55 ndm: Http::Manager: updated configuration.
[I] Nov 15 07:16:55 ndm: IpSec::Interface::Ike: "IKE0": secure tunnel is down: retry to resolve remote endpoint.
[I] Nov 15 07:16:55 ndm: Core::Server: started Session /var/run/ndm.core.socket.
[I] Nov 15 07:16:55 ipsec: 14[IKE] traffic selectors 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0 unacceptable
[I] Nov 15 07:16:55 ndm: Core::Session: client disconnected.
[I] Nov 15 07:16:55 ipsec: 14[IKE] failed to establish CHILD_SA, keeping IKE_SA
[I] Nov 15 07:16:56 ndm: IpSec::Manager: create IPsec reconfiguration transaction...
[I] Nov 15 07:16:56 ndm: IpSec::Manager: "VirtualIPServer": crypto map administratively disabled, skipping.
[I] Nov 15 07:16:56 ndm: IpSec::Manager: add config for crypto map "VPNL2TPServer".
[I] Nov 15 07:16:56 ndm: IpSec::Manager: IPsec reconfiguration transaction was created.
[I] Nov 15 07:16:56 ndm: IpSec::Configurator: start applying IPsec configuration.
[I] Nov 15 07:16:56 ndm: IpSec::Configurator: IPsec configuration applying is done.
[I] Nov 15 07:16:56 ndm: IpSec::Configurator: start reloading IPsec config task.
[I] Nov 15 07:16:56 ipsec: 08[CFG] rereading aa certificates from '/tmp/ipsec/ipsec.d/aacerts'
[I] Nov 15 07:16:56 ipsec: 08[CFG] rereading ocsp signer certificates from '/tmp/ipsec/ipsec.d/ocspcerts'
[I] Nov 15 07:16:56 ipsec: 08[CFG] rereading attribute certificates from '/tmp/ipsec/ipsec.d/acerts'
[I] Nov 15 07:16:56 ipsec: 08[CFG] rereading crls from '/tmp/ipsec/ipsec.d/crls'
[I] Nov 15 07:16:56 ipsec: 15[CFG] received stroke: terminate 'IKE0[*]'
[I] Nov 15 07:16:56 ipsec: 14[IKE] deleting IKE_SA IKE0[15] between 93.100.188.xxx[93.100.188.xxx]...172.94.13.1[CN=*.pointtoserver.com]
[I] Nov 15 07:16:56 ipsec: 14[IKE] sending DELETE for IKE_SA IKE0[15]
[I] Nov 15 07:16:56 ipsec: 04[IKE] IKE_SA deleted
[I] Nov 15 07:16:57 ndm: IpSec::Configurator: reloading IPsec config task done.
[I] Nov 15 07:16:57 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Nov 15 07:16:57 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Nov 15 07:16:57 ndm: Network::Interface::Tunnel: "IKE0": resolved destination 172.94.23.1 (de1.pointtoserver.com).
[I] Nov 15 07:16:57 ndm: Network::Interface::Ip: "IKE0": IP address cleared.
[I] Nov 15 07:16:57 ndm: Network::Interface::Tunnel: "IKE0": resolved source 93.100.188.xxx.
[I] Nov 15 07:16:58 ndm: Network::Interface::Tunnel: "IKE0": added host route to tunnel destination endpoint 172.94.23.1 via 93.100.176.1.
[I] Nov 15 07:16:58 ndm: IpSec::Interface::Ike: "IKE0": updating client IP secure configuration.
[I] Nov 15 07:16:58 ndm: IpSec::Manager: "IKE0": IP secure connection was added.
[I] Nov 15 07:16:58 ipsec: 13[IKE] retransmit 2 of request with message ID 0
[I] Nov 15 07:17:00 ndm: IpSec::Manager: create IPsec reconfiguration transaction...
[I] Nov 15 07:17:00 ndm: IpSec::Manager: "VirtualIPServer": crypto map administratively disabled, skipping.
[I] Nov 15 07:17:00 ndm: IpSec::Manager: add config for crypto map "VPNL2TPServer".
[I] Nov 15 07:17:00 ndm: IpSec::Manager: add config for crypto map "IKE0".
[I] Nov 15 07:17:00 ndm: IpSec::Manager: IPsec reconfiguration transaction was created.
[I] Nov 15 07:17:00 ndm: IpSec::Configurator: start applying IPsec configuration.
[I] Nov 15 07:17:00 ndm: IpSec::Configurator: IPsec configuration applying is done.
[I] Nov 15 07:17:00 ndm: IpSec::Configurator: start reloading IKE keys task.
[I] Nov 15 07:17:00 ndm: IpSec::Configurator: reloading IKE keys task done.
[I] Nov 15 07:17:00 ndm: IpSec::Configurator: start reloading IPsec config task.
[I] Nov 15 07:17:00 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Nov 15 07:17:00 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Nov 15 07:17:00 ndm: IpSec::Configurator: reloading IPsec config task done.
[I] Nov 15 07:17:01 ndm: IpSec::Configurator: "IKE0": crypto map initialized.
[I] Nov 15 07:17:04 ipsec: 13[IKE] integrity check failed
[I] Nov 15 07:17:04 ipsec: 13[IKE] CREATE_CHILD_SA request with message ID 0 processing failed
[E] Nov 15 07:17:04 ndm: IpSec::Configurator: IKE message parsing error for crypto map "IKE0".
[W] Nov 15 07:17:04 ndm: IpSec::Configurator: (possibly because of wrong pre-shared key).
[I] Nov 15 07:17:04 ndm: IpSec::CryptoMapInfo: "IKE0": crypto map active IKE SA: 0, active CHILD SA: 0.
[W] Nov 15 07:17:04 ndm: IpSec::Configurator: fallback peer is not defined for crypto map "IKE0", retry.
[I] Nov 15 07:17:04 ndm: IpSec::Interface::Ike: "IKE0": IPsec layer is down, shutdown.
[I] Nov 15 07:17:04 ndm: IpSec::Configurator: "IKE0": schedule reconnect for crypto map.
[I] Nov 15 07:17:04 ndm: Network::Interface::Ip: "IKE0": IP address cleared.
[I] Nov 15 07:17:04 ndm: IpSec::Manager: "IKE0": IP secure connection and keys was deleted.
[I] Nov 15 07:17:06 ndm: IpSec::Manager: create IPsec reconfiguration transaction...
[I] Nov 15 07:17:06 ndm: IpSec::Manager: "VirtualIPServer": crypto map administratively disabled, skipping.
[I] Nov 15 07:17:06 ndm: IpSec::Manager: add config for crypto map "VPNL2TPServer".
[I] Nov 15 07:17:06 ndm: IpSec::Manager: IPsec reconfiguration transaction was created.
[I] Nov 15 07:17:06 ndm: IpSec::Configurator: start applying IPsec configuration.
[I] Nov 15 07:17:06 ndm: IpSec::Configurator: IPsec configuration applying is done.
[I] Nov 15 07:17:06 ndm: IpSec::Configurator: start reloading IKE keys task.
[I] Nov 15 07:17:06 ndm: IpSec::Configurator: reloading IKE keys task done.
[I] Nov 15 07:17:06 ndm: IpSec::Configurator: start reloading IPsec config task.
[I] Nov 15 07:17:06 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Nov 15 07:17:06 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Nov 15 07:17:07 ndm: IpSec::Configurator: reloading IPsec config task done.
[I] Nov 15 07:17:07 ndm: IpSec::Configurator: crypto map "IKE0" shutdown started.
[I] Nov 15 07:17:07 ndm: IpSec::Configurator: crypto map "IKE0" shutdown complete.
[I] Nov 15 07:17:08 ipsec: 03[IKE] retransmit 3 of request with message ID 0
[I] Nov 15 07:17:09 ndm: IpSec::Interface::Ike: "IKE0": secure tunnel is down: retry to resolve remote endpoint.
[I] Nov 15 07:17:11 ndm: Network::Interface::Tunnel: "IKE0": resolved destination 172.94.24.1 (de1.pointtoserver.com).
[I] Nov 15 07:17:11 ndm: Network::Interface::Ip: "IKE0": IP address cleared.
[I] Nov 15 07:17:11 ndm: Network::Interface::Tunnel: "IKE0": resolved source 93.100.188.xxx.
[I] Nov 15 07:17:11 ndm: Network::Interface::Tunnel: "IKE0": added host route to tunnel destination endpoint 172.94.24.1 via 93.100.176.1.
[I] Nov 15 07:17:11 ndm: IpSec::Manager: "IKE0": IP secure connection was added.
[I] Nov 15 07:17:11 ndm: IpSec::Interface::Ike: "IKE0": updating client IP secure configuration.
[I] Nov 15 07:17:13 ndm: IpSec::Manager: create IPsec reconfiguration transaction...
[I] Nov 15 07:17:13 ndm: IpSec::Manager: "VirtualIPServer": crypto map administratively disabled, skipping.
[I] Nov 15 07:17:13 ndm: IpSec::Manager: add config for crypto map "VPNL2TPServer".
[I] Nov 15 07:17:13 ndm: IpSec::Manager: add config for crypto map "IKE0".
[I] Nov 15 07:17:13 ndm: IpSec::Manager: IPsec reconfiguration transaction was created.
[I] Nov 15 07:17:13 ndm: IpSec::Configurator: start applying IPsec configuration.
[I] Nov 15 07:17:13 ndm: IpSec::Configurator: IPsec configuration applying is done.
[I] Nov 15 07:17:13 ndm: IpSec::Configurator: start reloading IKE keys task.
[I] Nov 15 07:17:13 ndm: IpSec::Configurator: reloading IKE keys task done.
[I] Nov 15 07:17:13 ndm: IpSec::Configurator: start reloading IPsec config task.
[I] Nov 15 07:17:13 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Nov 15 07:17:13 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Nov 15 07:17:14 ndm: IpSec::Configurator: reloading IPsec config task done.
[I] Nov 15 07:17:14 ndm: IpSec::Configurator: "IKE0": crypto map initialized.
[I] Nov 15 07:17:18 ipsec: 04[IKE] retransmit 4 of request with message ID 0
[I] Nov 15 07:17:29 ndm: Dns::Manager: deleted record "xxx.keenetic.pro", address 78.47.125.180.
[I] Nov 15 07:17:29 ndm: Dns::Manager: added static record for "xxx.keenetic.pro", address 78.47.125.180.
[I] Nov 15 07:17:30 ipsec: 14[IKE] retransmit 5 of request with message ID 0
[I] Nov 15 07:17:32 ipsec: 14[IKE] integrity check failed
[I] Nov 15 07:17:32 ipsec: 14[IKE] CREATE_CHILD_SA request with message ID 0 processing failed
[E] Nov 15 07:17:32 ndm: IpSec::Configurator: IKE message parsing error for crypto map "IKE0".
[W] Nov 15 07:17:32 ndm: IpSec::Configurator: (possibly because of wrong pre-shared key).
[I] Nov 15 07:17:32 ndm: IpSec::CryptoMapInfo: "IKE0": crypto map active IKE SA: 0, active CHILD SA: 0.
[W] Nov 15 07:17:32 ndm: IpSec::Configurator: fallback peer is not defined for crypto map "IKE0", retry.
[I] Nov 15 07:17:32 ndm: IpSec::Interface::Ike: "IKE0": IPsec layer is down, shutdown.
[I] Nov 15 07:17:32 ndm: IpSec::Configurator: "IKE0": schedule reconnect for crypto map.
[I] Nov 15 07:17:32 ndm: Network::Interface::Ip: "IKE0": IP address cleared.
[I] Nov 15 07:17:32 ndm: IpSec::Manager: "IKE0": IP secure connection and keys was deleted.
[I] Nov 15 07:17:34 ndm: IpSec::Manager: create IPsec reconfiguration transaction...
[I] Nov 15 07:17:34 ndm: IpSec::Manager: "VirtualIPServer": crypto map administratively disabled, skipping.
[I] Nov 15 07:17:34 ndm: IpSec::Manager: add config for crypto map "VPNL2TPServer".
[I] Nov 15 07:17:34 ndm: IpSec::Manager: IPsec reconfiguration transaction was created.
[I] Nov 15 07:17:34 ndm: IpSec::Configurator: start applying IPsec configuration.
[I] Nov 15 07:17:34 ndm: IpSec::Configurator: IPsec configuration applying is done.
[I] Nov 15 07:17:34 ndm: IpSec::Configurator: start reloading IKE keys task.
[I] Nov 15 07:17:34 ndm: IpSec::Configurator: reloading IKE keys task done.
[I] Nov 15 07:17:34 ndm: IpSec::Configurator: start reloading IPsec config task.
[I] Nov 15 07:17:34 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Nov 15 07:17:34 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Nov 15 07:17:35 ndm: IpSec::Configurator: reloading IPsec config task done.
[I] Nov 15 07:17:35 ndm: IpSec::Configurator: crypto map "IKE0" shutdown started.
[C] Nov 15 07:17:36 ndm: IpSec::Configurator: system failed [0xcffd00a5].
[C] Nov 15 07:17:36 ndm: IpSec::Configurator: system failed [0xcffd00aa], code = -1.
[C] Nov 15 07:17:36 ndm: IpSec::Configurator: system failed [0xcffd00a5].
[C] Nov 15 07:17:36 ndm: IpSec::Configurator: system failed [0xcffd00aa], code = -1.
[I] Nov 15 07:17:36 ndm: IpSec::Configurator: crypto map "IKE0" shutdown complete.
[I] Nov 15 07:17:37 ndm: IpSec::Interface::Ike: "IKE0": secure tunnel is down: retry to resolve remote endpoint.
[I] Nov 15 07:17:39 ndm: Network::Interface::Tunnel: "IKE0": resolved destination 172.94.23.1 (de1.pointtoserver.com).
[I] Nov 15 07:17:39 ndm: Network::Interface::Ip: "IKE0": IP address cleared.
[I] Nov 15 07:17:39 ndm: Network::Interface::Tunnel: "IKE0": resolved source 93.100.188.xxx.
[I] Nov 15 07:17:40 ndm: Network::Interface::Tunnel: "IKE0": added host route to tunnel destination endpoint 172.94.23.1 via 93.100.176.1.
[I] Nov 15 07:17:40 ndm: IpSec::Interface::Ike: "IKE0": updating client IP secure configuration.
[I] Nov 15 07:17:40 ndm: IpSec::Manager: "IKE0": IP secure connection was added.
[I] Nov 15 07:17:42 ndm: IpSec::Manager: create IPsec reconfiguration transaction...
[I] Nov 15 07:17:42 ndm: IpSec::Manager: "VirtualIPServer": crypto map administratively disabled, skipping.
[I] Nov 15 07:17:42 ndm: IpSec::Manager: add config for crypto map "VPNL2TPServer".
[I] Nov 15 07:17:42 ndm: IpSec::Manager: add config for crypto map "IKE0".
[I] Nov 15 07:17:42 ndm: IpSec::Manager: IPsec reconfiguration transaction was created.
[I] Nov 15 07:17:42 ndm: IpSec::Configurator: start applying IPsec configuration.
[I] Nov 15 07:17:42 ndm: IpSec::Configurator: IPsec configuration applying is done.
[I] Nov 15 07:17:42 ndm: IpSec::Configurator: start reloading IKE keys task.
[C] Nov 15 07:17:43 ndm: IpSec::Configurator: system failed [0xcffd00a5].
[C] Nov 15 07:17:43 ndm: IpSec::Configurator: system failed [0xcffd00aa], code = -1.
[I] Nov 15 07:17:43 ndm: IpSec::Configurator: reloading IKE keys task done.
[I] Nov 15 07:17:43 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Nov 15 07:17:43 ndm: IpSec::Configurator: start reloading IPsec config task.
[I] Nov 15 07:17:43 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Nov 15 07:17:43 ipsec: 10[IKE] retransmit 6 of request with message ID 0
[I] Nov 15 07:17:43 ndm: IpSec::Configurator: reloading IPsec config task done.
[C] Nov 15 07:17:44 ndm: IpSec::Configurator: system failed [0xcffd00a5].
[C] Nov 15 07:17:44 ndm: IpSec::Configurator: system failed [0xcffd00aa], code = -1.
[C] Nov 15 07:17:44 ndm: IpSec::Configurator: "IKE0": system failed [0xcffd05b3].
[I] Nov 15 07:17:44 ndm: IpSec::Configurator: "IKE0": crypto map initialized.
[I] Nov 15 07:17:57 ipsec: 09[IKE] retransmit 7 of request with message ID 0
[I] Nov 15 07:18:13 ipsec: 09[IKE] retransmit 8 of request with message ID 0
[I] Nov 15 07:18:29 ipsec: 07[IKE] integrity check failed
[I] Nov 15 07:18:29 ipsec: 07[IKE] CREATE_CHILD_SA request with message ID 0 processing failed
[E] Nov 15 07:18:29 ndm: IpSec::Configurator: IKE message parsing error for crypto map "IKE0".
[W] Nov 15 07:18:29 ndm: IpSec::Configurator: (possibly because of wrong pre-shared key).
[I] Nov 15 07:18:29 ndm: IpSec::CryptoMapInfo: "IKE0": crypto map active IKE SA: 0, active CHILD SA: 0.
[W] Nov 15 07:18:29 ndm: IpSec::Configurator: fallback peer is not defined for crypto map "IKE0", retry.
[I] Nov 15 07:18:29 ndm: IpSec::Configurator: "IKE0": schedule reconnect for crypto map.
[I] Nov 15 07:18:29 ndm: IpSec::Interface::Ike: "IKE0": IPsec layer is down, shutdown.
[I] Nov 15 07:18:29 ndm: Network::Interface::Ip: "IKE0": IP address cleared.
[I] Nov 15 07:18:29 ndm: IpSec::Manager: "IKE0": IP secure connection and keys was deleted.
[I] Nov 15 07:18:30 ipsec: 09[IKE] giving up after 8 retransmits
[E] Nov 15 07:18:30 ndm: IpSec::Configurator: remote peer of crypto map "IKE0" is down.
[I] Nov 15 07:18:30 ndm: IpSec::CryptoMapInfo: "IKE0": crypto map active IKE SA: 0, active CHILD SA: 0.
[W] Nov 15 07:18:30 ndm: IpSec::Configurator: fallback peer is not defined for crypto map "IKE0", retry.
[I] Nov 15 07:18:30 ndm: IpSec::Interface::Ike: "IKE0": IPsec layer is down, shutdown.
[I] Nov 15 07:18:30 ndm: IpSec::Configurator: "IKE0": schedule reconnect for crypto map.
[I] Nov 15 07:18:30 ndm: Network::Interface::Ip: "IKE0": IP address cleared.
[I] Nov 15 07:18:30 ipsec: 09[IKE] installing new virtual IP 178.170.146.95
[I] Nov 15 07:18:30 ipsec: 09[IKE] restarting CHILD_SA IKE0
[I] Nov 15 07:18:30 ipsec: 09[IKE] initiating IKE_SA IKE0[16] to 178.170.146.1
[I] Nov 15 07:18:30 ndm: IpSec::CryptoMapInfo: "IKE0": crypto map active IKE SA: 0, active CHILD SA: 0.
[I] Nov 15 07:18:30 ndm: IpSec::CryptoMapInfo: "IKE0": crypto map active IKE SA: 0, active CHILD SA: 0.
[I] Nov 15 07:18:30 ipsec: 04[CFG] received stroke: delete connection 'VPNL2TPServer'
[I] Nov 15 07:18:30 ipsec: 14[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
[I] Nov 15 07:18:30 ipsec: 14[IKE] received MS-Negotiation Discovery Capable vendor ID
[I] Nov 15 07:18:30 ipsec: 11[CFG] rereading secrets
[I] Nov 15 07:18:30 ipsec: 10[CFG] received stroke: initiate 'IKE0'
[I] Nov 15 07:18:30 ipsec: 15[CFG] rereading secrets
[I] Nov 15 07:18:30 ipsec: 04[CFG] deleted connection 'VPNL2TPServer'
[I] Nov 15 07:18:30 ipsec: 15[CFG] loading secrets
[I] Nov 15 07:18:30 ipsec: 15[CFG] loaded IKE secret for %any
[I] Nov 15 07:18:30 ipsec: 15[CFG] loaded IKE secret for @mykeenetic.net
[I] Nov 15 07:18:30 ipsec: 15[CFG] loaded EAP secret for purevpn0sxxxxxx
[I] Nov 15 07:18:30 ipsec: 15[CFG] loaded NTLM secret for xxxxxx
[I] Nov 15 07:18:30 ipsec: 15[CFG] rereading ca certificates from '/tmp/ipsec/ipsec.d/cacerts'
[I] Nov 15 07:18:30 ipsec: 11[CFG] loading secrets
[I] Nov 15 07:18:30 ipsec: 00[DMN] signal of type SIGHUP received. Reloading configuration
[I] Nov 15 07:18:30 ipsec: 11[CFG] loaded IKE secret for %any
[I] Nov 15 07:18:30 ipsec: 14[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[I] Nov 15 07:18:30 ipsec: 11[CFG] loaded IKE secret for @mykeenetic.net
[I] Nov 15 07:18:30 ipsec: 11[CFG] loaded EAP secret for purevpn0sxxxxxx
[I] Nov 15 07:18:30 ipsec: 11[CFG] loaded NTLM secret for xxxxxx
[I] Nov 15 07:18:30 ipsec: 10[CFG] no config named 'IKE0'
[I] Nov 15 07:18:30 ipsec: 11[CFG] rereading ca certificates from '/tmp/ipsec/ipsec.d/cacerts'
[I] Nov 15 07:18:30 ipsec: 12[CFG] received stroke: terminate 'IKE0{*}'
[I] Nov 15 07:18:30 ipsec: 13[CFG] received stroke: unroute 'IKE0'
[I] Nov 15 07:18:30 ipsec: 08[CFG] received stroke: terminate 'IKE0[*]'
[I] Nov 15 07:18:30 ipsec: 14[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[I] Nov 15 07:18:30 ipsec: 14[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[I] Nov 15 07:18:30 ipsec: 00[CFG] loaded 0 entries for attr plugin configuration
[I] Nov 15 07:18:30 ipsec: 00[CFG] loaded 1 RADIUS server configuration
[I] Nov 15 07:18:30 ndm: IpSec::CryptoMapInfo: "IKE0": crypto map active IKE SA: 0, active CHILD SA: 0.
[I] Nov 15 07:18:30 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Nov 15 07:18:30 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Nov 15 07:18:30 ndm: IpSec::CryptoMapInfo: "IKE0": crypto map active IKE SA: 0, active CHILD SA: 0.
[I] Nov 15 07:18:30 ipsec: 14[IKE] faking NAT situation to enforce UDP encapsulation
[I] Nov 15 07:18:30 ipsec: 14[CFG] no IDi configured, fall back on IP address
[I] Nov 15 07:18:30 ipsec: 14[IKE] establishing CHILD_SA IKE0{13} reqid 9
[I] Nov 15 07:18:30 ipsec: 12[CFG] no CHILD_SA named 'IKE0' found
[I] Nov 15 07:18:30 ipsec: 13[IKE] destroying IKE_SA in state CONNECTING without notification
[I] Nov 15 07:18:30 ipsec: 07[CFG] rereading secrets
[I] Nov 15 07:18:30 ipsec: 07[CFG] loading secrets
[I] Nov 15 07:18:30 ipsec: 07[CFG] loaded IKE secret for %any
[I] Nov 15 07:18:30 ipsec: 07[CFG] loaded IKE secret for @mykeenetic.net
[I] Nov 15 07:18:30 ipsec: 07[CFG] loaded EAP secret for purevpn0sxxxxxx
[I] Nov 15 07:18:30 ipsec: 07[CFG] loaded NTLM secret for xxx
[I] Nov 15 07:18:30 ipsec: 07[CFG] rereading ca certificates from '/tmp/ipsec/ipsec.d/cacerts'
[I] Nov 15 07:18:30 ipsec: 04[CFG] received stroke: initiate 'IKE0'
[I] Nov 15 07:18:30 ipsec: 04[CFG] no config named 'IKE0'
[I] Nov 15 07:18:30 ipsec: 09[CFG] rereading secrets
[I] Nov 15 07:18:30 ipsec: 09[CFG] loading secrets
[I] Nov 15 07:18:30 ipsec: 09[CFG] loaded IKE secret for %any
[I] Nov 15 07:18:30 ipsec: 09[CFG] loaded IKE secret for @mykeenetic.net
[I] Nov 15 07:18:30 ipsec: 09[CFG] loaded EAP secret for purevpn0sxxxxxx
[I] Nov 15 07:18:30 ipsec: 09[CFG] loaded NTLM secret for xxxxxx
[I] Nov 15 07:18:30 ipsec: 09[CFG] rereading ca certificates from '/tmp/ipsec/ipsec.d/cacerts'
[I] Nov 15 07:18:31 ndm: IpSec::Manager: create IPsec reconfiguration transaction...
[I] Nov 15 07:18:31 ndm: IpSec::Manager: "VirtualIPServer": crypto map administratively disabled, skipping.
[I] Nov 15 07:18:31 ndm: IpSec::Manager: add config for crypto map "VPNL2TPServer".
[I] Nov 15 07:18:31 ndm: IpSec::Manager: IPsec reconfiguration transaction was created.
[I] Nov 15 07:18:31 ndm: IpSec::Configurator: start applying IPsec configuration.
[I] Nov 15 07:18:31 ndm: IpSec::Configurator: IPsec configuration applying is done.
[I] Nov 15 07:18:31 ndm: IpSec::Configurator: start reloading IKE keys task.
[I] Nov 15 07:18:31 ndm: IpSec::Configurator: reloading IKE keys task done.
[I] Nov 15 07:18:31 ndm: IpSec::Configurator: start reloading IPsec config task.
[I] Nov 15 07:18:32 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
[I] Nov 15 07:18:32 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
[I] Nov 15 07:18:32 ndm: IpSec::Configurator: reloading IPsec config task done.
[I] Nov 15 07:18:32 ndm: IpSec::Configurator: crypto map "IKE0" shutdown started.
[I] Nov 15 07:18:32 ndm: IpSec::Configurator: crypto map "IKE0" shutdown complete.
[I] Nov 15 07:18:33 ipsec: 15[CFG] rereading aa certificates from '/tmp/ipsec/ipsec.d/aacerts'
[I] Nov 15 07:18:33 ipsec: 15[CFG] rereading ocsp signer certificates from '/tmp/ipsec/ipsec.d/ocspcerts'
[I] Nov 15 07:18:33 ipsec: 15[CFG] rereading attribute certificates from '/tmp/ipsec/ipsec.d/acerts'
[I] Nov 15 07:18:33 ipsec: 15[CFG] rereading crls from '/tmp/ipsec/ipsec.d/crls'
[I] Nov 15 07:18:33 ipsec: 08[CFG] received stroke: unroute 'IKE0'
[I] Nov 15 07:18:33 ipsec: 04[CFG] received stroke: add connection 'VPNL2TPServer'
[I] Nov 15 07:18:33 ipsec: 04[CFG] added configuration 'VPNL2TPServer'
[I] Nov 15 07:18:33 ipsec: 03[CFG] rereading secrets
[I] Nov 15 07:18:33 ipsec: 03[CFG] loading secrets
[I] Nov 15 07:18:33 ipsec: 03[CFG] loaded IKE secret for %any
[I] Nov 15 07:18:33 ipsec: 03[CFG] loaded IKE secret for @mykeenetic.net
[I] Nov 15 07:18:33 ipsec: 03[CFG] loaded NTLM secret for xxxxxx
[I] Nov 15 07:18:33 ipsec: 03[CFG] rereading ca certificates from '/tmp/ipsec/ipsec.d/cacerts'
[I] Nov 15 07:18:33 ipsec: 11[CFG] rereading aa certificates from '/tmp/ipsec/ipsec.d/aacerts'
[I] Nov 15 07:18:33 ipsec: 11[CFG] rereading ocsp signer certificates from '/tmp/ipsec/ipsec.d/ocspcerts'
[I] Nov 15 07:18:33 ipsec: 11[CFG] rereading attribute certificates from '/tmp/ipsec/ipsec.d/acerts'
[I] Nov 15 07:18:33 ipsec: 11[CFG] rereading crls from '/tmp/ipsec/ipsec.d/crls'
[I] Nov 15 07:18:33 ipsec: 13[CFG] received stroke: unroute 'IKE0'
[I] Nov 15 07:18:33 ipsec: 06[CFG] received stroke: terminate 'IKE0{*}'
[I] Nov 15 07:18:33 ipsec: 06[CFG] no CHILD_SA named 'IKE0' found
[I] Nov 15 07:18:33 ipsec: 08[CFG] received stroke: terminate 'IKE0[*]'
[I] Nov 15 07:18:33 ipsec: 08[CFG] no IKE_SA named 'IKE0' found
[I] Nov 15 07:18:33 ipsec: 04[CFG] received stroke: add connection 'IKE0'
[I] Nov 15 07:18:33 ipsec: 04[CFG] added configuration 'IKE0'
[I] Nov 15 07:18:33 ipsec: 12[CFG] received stroke: delete connection 'VPNL2TPServer'
[I] Nov 15 07:18:33 ipsec: 12[CFG] deleted connection 'VPNL2TPServer'
[I] Nov 15 07:18:33 ipsec: 15[CFG] received stroke: delete connection 'IKE0'
[I] Nov 15 07:18:33 ipsec: 15[CFG] deleted connection 'IKE0'
[I] Nov 15 07:18:33 ipsec: 00[DMN] signal of type SIGHUP received. Reloading configuration
[I] Nov 15 07:18:33 ipsec: 10[CFG] received stroke: add connection 'VPNL2TPServer'
[I] Nov 15 07:18:33 ipsec: 10[CFG] added configuration 'VPNL2TPServer'
[I] Nov 15 07:18:33 ipsec: 00[CFG] loaded 0 entries for attr plugin configuration
[I] Nov 15 07:18:33 ipsec: 00[CFG] loaded 1 RADIUS server configuration
[I] Nov 15 07:18:33 ipsec: 09[CFG] rereading aa certificates from '/tmp/ipsec/ipsec.d/aacerts'
[I] Nov 15 07:18:33 ipsec: 09[CFG] rereading ocsp signer certificates from '/tmp/ipsec/ipsec.d/ocspcerts'
[I] Nov 15 07:18:33 ipsec: 09[CFG] rereading attribute certificates from '/tmp/ipsec/ipsec.d/acerts'
[I] Nov 15 07:18:33 ipsec: 09[CFG] rereading crls from '/tmp/ipsec/ipsec.d/crls'
[I] Nov 15 07:18:33 ipsec: 07[CFG] rereading aa certificates from '/tmp/ipsec/ipsec.d/aacerts'
[I] Nov 15 07:18:33 ipsec: 07[CFG] rereading ocsp signer certificates from '/tmp/ipsec/ipsec.d/ocspcerts'
[I] Nov 15 07:18:33 ipsec: 07[CFG] rereading attribute certificates from '/tmp/ipsec/ipsec.d/acerts'
[I] Nov 15 07:18:33 ipsec: 07[CFG] rereading crls from '/tmp/ipsec/ipsec.d/crls'
[I] Nov 15 07:18:34 ndm: IpSec::Interface::Ike: "IKE0": secure tunnel is down: retry to resolve remote endpoint.
[I] Nov 15 07:18:35 ipsec: 03[CFG] rereading aa certificates from '/tmp/ipsec/ipsec.d/aacerts'
[I] Nov 15 07:18:35 ipsec: 03[CFG] rereading ocsp signer certificates from '/tmp/ipsec/ipsec.d/ocspcerts'
[I] Nov 15 07:18:35 ipsec: 03[CFG] rereading attribute certificates from '/tmp/ipsec/ipsec.d/acerts'
[I] Nov 15 07:18:35 ipsec: 03[CFG] rereading crls from '/tmp/ipsec/ipsec.d/crls'
[I] Nov 15 07:18:36 ndm: Network::Interface::Tunnel: "IKE0": resolved destination 172.94.13.1 (de1.pointtoserver.com).
[I] Nov 15 07:18:36 ndm: Network::Interface::Ip: "IKE0": IP address cleared.
[I] Nov 15 07:18:36 ndm: Network::Interface::Tunnel: "IKE0": resolved source 93.100.188.xxx.
[I] Nov 15 07:18:36 ndm: Network::Interface::Tunnel: "IKE0": added host route to tunnel destination endpoint 172.94.13.1 via 93.100.176.1.
[I] Nov 15 07:18:36 ndm: IpSec::Manager: "IKE0": IP secure connection was added.
[I] Nov 15 07:18:36 ndm: IpSec::Interface::Ike: "IKE0": updating client IP secure configuration.
[I] Nov 15 07:18:38 ndm: IpSec::Manager: create IPsec reconfiguration transaction...
[I] Nov 15 07:18:38 ndm: IpSec::Manager: "VirtualIPServer": crypto map administratively disabled, skipping.
[I] Nov 15 07:18:38 ndm: IpSec::Manager: add config for crypto map "VPNL2TPServer".
[I] Nov 15 07:18:38 ndm: IpSec::Manager: add config for crypto map "IKE0".
[I] Nov 15 07:18:38 ndm: IpSec::Manager: IPsec reconfiguration transaction was created.
[I] Nov 15 07:18:38 ndm: IpSec::Configurator: start applying IPsec configuration. xxxxxx

 

Селфтест с этими событиями приложен сообщением ниже. Это можно как-то починить с моей стороны? Роутер Ultra II, прошивка 3.5.2.

PS Есть заявка в техподдержке 517114

Edited by Dale
Link to comment
Share on other sites

  • 2 weeks later...

Решение проблемы в моем случае оказалось таким: после ручной установки времени жизни ключей через interface IKE0 ipsec proposal lifetime меньше, чем фактически используемый сервером интервал, клиентом инициируется процедура rekey и она проходит штатно, без разрывов соединения такого рода, как описаны в шапке. Кто был виновником проблемы - клиент или сервер, установить не удалось. Единственный баг, который очень хотелось бы, чтобы пофиксили разработчики ( @Le ecureuil, это возможно?) - сбрасывается время соединения, хотя фактически оно не разрывалось, а происходил rekey по инициативе клиента (при прохождении процедуры rekey по инициативе сервера время не сбрасывается, все работает штатно).

 

  • Thanks 1
Link to comment
Share on other sites

2 часа назад, Dale сказал:

Решение проблемы в моем случае оказалось таким: после ручной установки времени жизни ключей через interface IKE0 ipsec proposal lifetime меньше, чем фактически используемый сервером интервал, клиентом инициируется процедура rekey и она проходит штатно, без разрывов соединения такого рода, как описаны в шапке. Кто был виновником проблемы - клиент или сервер, установить не удалось. Единственный баг, который очень хотелось бы, чтобы пофиксили разработчики ( @Le ecureuil, это возможно?) - сбрасывается время соединения, хотя фактически оно не разрывалось, а происходил rekey по инициативе клиента (при прохождении процедуры rekey по инициативе сервера время не сбрасывается, все работает штатно).

 

Отлично, принято.

Link to comment
Share on other sites

  • 1 year later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...