# StrongSwan Configure Site-to-Site tunnel



## thein (Jan 2, 2017)

Anybody get StrongSwan configure Site-to-Site certificated VPN tunnel.
I use FreeBSD 11.0 with StrongSwan 5.4.


----------



## obsigna (Jan 2, 2017)

thein said:


> Anybody get StrongSwan configure Site-to-Site certificated VPN tunnel.
> I use FreeBSD 11.0 with StrongSwan 5.4.


I got installed on all of my FreeBSD machines the latest security/strongswan v5.5.1 from the ports, and I use this to establish IPsec-IKEv2 VPN tunnels between the respective sites.

Some of my machines are behind NAT, and I built custom kernels with the added IPSEC_NAT_T option. I name the machine which is listening for connections the VPN service, and those machines which start the connections are named the VPN clients. I know, that this terminology is somewhat arbitrary, and you may give your machines and certificates different names. You may want to replace the dummy domain names ???.example.com with your respective domain names.

For setting up and deploying the certificates, I followed the procedure from the following message on the strongSwan users mailing list: https://lists.strongswan.org/pipermail/users/2014-September/006698.html

In addition to certificate deployment, for each VPN Service and VPN Client, two configuration files need to be setup:

_On the VPN Service machine_

/usr/local/etc/ipsec.conf:

```
conn IKEv2-Tunnel
   keyexchange = ikev2
   mobike = no

   leftcert = ipsec-service-cert.pem
   leftid = @service.example.com
   left = %defaultroute
   leftsubnet = 192.168.1.0/24

   rightcert = ipsec-clients-cert.pem
   rightid = %any
   right = %any
   rightsubnet = 192.168.2.0/24

   auto = add
```
/usr/local/etc/ipsec.secrets:

```
: RSA ipsec-service-key.pem
```

_On the VPN Client machines_

/usr/local/etc/ipsec.conf:

```
conn IKEv2-Tunnel
   keyexchange = ikev2
   mobike = no

   leftcert = ipsec-clients-cert.pem
   leftid = client-X@example.com
   leftsubnet = 192.168.2.0/24

   rightcert = ipsec-service-cert.pem
   rightid = @service.example.com
   right = service.example.com
   rightsubnet = 192.168.1.0/24

   auto = start
```
/usr/local/etc/ipsec.secrets:

```
: RSA ipsec-clients-key.pem
```


----------



## gkontos (Jan 3, 2017)

thein said:


> CMD=ipsec statusall
> Security Associations (0 up, 0 connecting)


How To Ask Questions The Smart Way


----------



## thein (Jan 3, 2017)

I get it.


```
hostname="service.c.com"

#External Network
ifconfig_ue0="inet 10.0.0.1 netmask 255.0.0.0"

#Internal Network
ifconfig_ue1="inet 192.168.1.1 netmask 255.255.255.0"

#IP Forwarding
gateway_enable="YES"

#Default Gateway
defaultrouter="10.0.0.2"

#Static Route
static_routes="vpn"
route_vpn="-net 192.168.2.0/24 10.0.0.2"

#IP Security
strongswan_enable="YES"

#Packet Filter
pf_enable="YES"
pf_rules="/usr/local/etc/racoon/filter.conf"
pflog_enable="YES"

sshd_enable="NO"

powerd_enable="YES"

# Nice if you have a network, else annoying.
#ntpd_enable="YES"
ntpd_sync_on_start="YES"

# Uncomment to disable common services (more memory)
#cron_enable="NO"
#syslogd_enable="NO"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
# On first boot, enlarge the root filesystem to fill the SD card
growfs_enable="YES"
```


```
config setup

conn %default
    ikelifetime = 60m
    keylife = 20m
    rekeymargin = 3m
    keyintries = 1
    keyexchange = ikev2
    esp = aes256-sha256-modp4096
    ike = aes256-sha512-modp4096
    mobike = no

conn IKEv2-Tunnel
    leftcert = ipsec-service-cert.pem
    leftid = @service.c.com
    left = %defaultroute
    leftsubnet = 192.168.1.0/24

    rightcert = ipsec-clients-cert.pem
    rightid = %any
    right = %any
    rightsubnet = 192.168.2.0/24

    auto = add
```


```
: RSA ipsec-service-key.pem
```


```
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
    load_modular = yes
    plugins {
        include strongswan.d/charon/*.conf
    }
}

include strongswan.d/*.conf
```


```
hostname="clients.c.com"

#External Network
ifconfig_ue0="inet 10.0.0.2 netmask 255.0.0.0"

#Internal Network
ifconfig_ue1="inet 192.168.2.2 netmask 255.255.255.0"

#IP Forwarding
gateway_enable="YES"

#Default Gateway
defaultrouter="10.0.0.1"

#Static Route
static_routes="vpn"
route_vpn="-net 192.168.1.0/24 10.0.0.1"

#IP Security
strongswan_enable="YES"

#Packet Filter
pf_enable="YES"
pf_rules="/usr/local/etc/racoon/filter.conf"
pflog_enable="YES"

sshd_enable="NO"

powerd_enable="YES"

# Nice if you have a network, else annoying.
#ntpd_enable="YES"
ntpd_sync_on_start="YES"

# Uncomment to disable common services (more memory)
#cron_enable="NO"
#syslogd_enable="NO"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
# On first boot, enlarge the root filesystem to fill the SD card
growfs_enable="YES"
```


```
config setup

conn $default
    ikelifetime = 60m
    keylife = 20m
    rekeymargin = 3m
    keyingtries = 1
    keyexchange = ikev2
    esp = aes256-sha256-modp4096
    ike = aes256-sha512-modp4096
    mobike = no

conn IKEv2-Tunnel
    leftcert = ipsec-clients-cert.pem
    leftid = clients@c.com
    leftsubnet = 192.168.2.0/24

    rightcert = ipsec-service-cert.pem
    rightid = @service.c.com
    right = service.c.com
    rightsubnet = 192.168.1.0/24

    auto = start
```


```
: RSA ipsec-clients-key.pem
```


```
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
    load_modular = yes
    plugins {
        include strongswan.d/charon/*.conf
    }
}

include strongswan.d/*.conf
```

I used make Cert obsigna posted.

For setting up the CA, and the certificates, I used the PKI tools that came together with strongSwan. Here comes the list of commands without comments -- use man if you are in doubt). Note, *on FreeBSD, the $PREFIX is /usr/local*, and I don't know where Ubuntu store everything, perhaps you need to correct some cert locations.

As user root do: ######## commands begin:

mkdir ~/ipsec-certs

cd ~/ipsec-certs

pki --gen --outform pem > ipsec-ca-key.pem

pki --self --outform pem --in ipsec-ca-key.pem --digest sha256 --ca --dn "C=DE, O=Example, CN=example.com CA" > ipsec-ca-cert.pem



pki --gen --outform pem > ipsec-service-key.pem

pki --pub --in ipsec-service-key.pem | pki --issue --outform pem --digest sha256 --cacert ipsec-ca-cert.pem --cakey ipsec-ca-key.pem --flag serverAuth --flag ikeIntermediate --san example.com --dn "C=DE, O=Example, CN=example.com" > ipsec-service-cert.pem



pki --gen --outform pem > ipsec-clients-key.pem

pki --pub --in ipsec-clients-key.pem | pki --issue --outform pem --digest sha256 --cacert ipsec-ca-cert.pem --cakey ipsec-ca-key.pem --san ipsec-clients.example.com --dn "C=DE, O=Example, CN=ipsec-clients.example.com" > ipsec-clients-cert.pem



cp ipsec-ca-cert.pem /usr/local/etc/ipsec.d/cacerts/ipsec-ca-cert.pem

cp ipsec-service-key.pem /usr/local/etc/ipsec.d/private/ipsec-service-key.pem

cp ipsec-clients-key.pem /usr/local/etc/ipsec.d/private/ipsec-clients-key.pem

cp ipsec-service-cert.pem /usr/local/etc/ipsec.d/certs/ipsec-service-cert.pem

cp ipsec-clients-cert.pem /usr/local/etc/ipsec.d/certs/ipsec-clients-cert.pem



openssl pkcs12 -export -out ipsec-clients.p12 -inkey ipsec-clients-key.pem -in ipsec-clients-cert.pem -certfile ipsec-ca-cert.pem ######## commands end. IMPORTANT: *The CN value of the ipsec-service-cert.pem MUST be the exact DNS resolvable domain of your IPsec server!!!*


----------



## obsigna (Jan 3, 2017)

What is in the log's?

After submitting `service strongswan restart` on the VPN-Service machine and then on the VPN-Client machine, the respective logs on my systems show the following (IP addresses and domain names are obfuscated):

_On the VPN-Client machine (local time BRST)_


```
Jan  3 18:09:08 obsigna charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, FreeBSD 11.0-RELEASE-p6, amd64)
Jan  3 18:09:08 obsigna charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
Jan  3 18:09:08 obsigna charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Jan  3 18:09:08 obsigna charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Jan  3 18:09:08 obsigna charon: 00[CFG]   loaded ca certificate "C=DE, O=Example, CN=example.com CA" from '/usr/local/etc/ipsec.d/cacerts/ipsec-ca-cert.pem'
Jan  3 18:09:08 obsigna charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Jan  3 18:09:08 obsigna charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Jan  3 18:09:08 obsigna charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Jan  3 18:09:08 obsigna charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Jan  3 18:09:08 obsigna charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Jan  3 18:09:08 obsigna charon: 00[CFG]   loaded IKE secret for %any
Jan  3 18:09:08 obsigna charon: 00[CFG]   loaded RSA private key from '/usr/local/etc/ipsec.d/private/ipsec-clients-key.pem'
Jan  3 18:09:08 obsigna charon: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
Jan  3 18:09:08 obsigna charon: 00[JOB] spawning 16 worker threads
Jan  3 18:09:08 obsigna charon: 06[CFG] received stroke: add connection 'IKEv2-Tunnel'
Jan  3 18:09:08 obsigna charon: 06[CFG]   loaded certificate "C=DE, O=Example, CN=ipsec-clients.example.com" from 'ipsec-clients-cert.pem'
Jan  3 18:09:08 obsigna charon: 06[CFG]   loaded certificate "C=DE, O=Example, CN=example.com" from 'ipsec-service-cert.pem'
Jan  3 18:09:08 obsigna charon: 06[CFG] added configuration 'IKEv2-Tunnel'
Jan  3 18:09:08 obsigna charon: 16[CFG] received stroke: initiate 'IKEv2-Tunnel'
Jan  3 18:09:08 obsigna charon: 16[IKE] initiating IKE_SA IKEv2-Tunnel[1] to 11.22.33.44
Jan  3 18:09:08 obsigna charon: 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan  3 18:09:08 obsigna charon: 16[NET] sending packet: from 192.168.2.1[500] to 11.22.33.44[500] (1156 bytes)
Jan  3 18:09:08 obsigna charon: 16[NET] received packet: from 11.22.33.44[500] to 192.168.2.1[500] (617 bytes)
Jan  3 18:09:08 obsigna charon: 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jan  3 18:09:09 obsigna charon: 16[IKE] local host is behind NAT, sending keep alives
Jan  3 18:09:09 obsigna charon: 16[IKE] remote host is behind NAT
Jan  3 18:09:09 obsigna charon: 16[IKE] received cert request for "C=DE, O=Example, CN=example.com CA"
Jan  3 18:09:09 obsigna charon: 16[IKE] sending cert request for "C=DE, O=Example, CN=example.com CA"
Jan  3 18:09:09 obsigna charon: 16[IKE] authentication of 'C=DE, O=Example, CN=ipsec-clients.example.com' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Jan  3 18:09:09 obsigna charon: 16[IKE] sending end entity cert "C=DE, O=Example, CN=ipsec-clients.example.com"
Jan  3 18:09:09 obsigna charon: 16[IKE] establishing CHILD_SA IKEv2-Tunnel
Jan  3 18:09:09 obsigna charon: 16[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Jan  3 18:09:09 obsigna charon: 16[ENC] splitting IKE message with length of 1600 bytes into 2 fragments
Jan  3 18:09:09 obsigna charon: 16[ENC] generating IKE_AUTH request 1 [ EF(1/2) ]
Jan  3 18:09:09 obsigna charon: 16[ENC] generating IKE_AUTH request 1 [ EF(2/2) ]
Jan  3 18:09:09 obsigna charon: 16[NET] sending packet: from 192.168.2.1[4500] to 11.22.33.44[4500] (1236 bytes)
Jan  3 18:09:09 obsigna charon: 16[NET] sending packet: from 192.168.2.1[4500] to 11.22.33.44[4500] (436 bytes)
Jan  3 18:09:09 obsigna charon: 16[NET] received packet: from 11.22.33.44[4500] to 192.168.2.1[4500] (1236 bytes)
Jan  3 18:09:09 obsigna charon: 16[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Jan  3 18:09:09 obsigna charon: 16[ENC] received fragment #1 of 2, waiting for complete IKE message
Jan  3 18:09:09 obsigna charon: 15[NET] received packet: from 11.22.33.44[4500] to 192.168.2.1[4500] (212 bytes)
Jan  3 18:09:09 obsigna charon: 15[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Jan  3 18:09:09 obsigna charon: 15[ENC] received fragment #2 of 2, reassembling fragmented IKE message
Jan  3 18:09:09 obsigna charon: 15[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]
Jan  3 18:09:09 obsigna charon: 15[IKE] received end entity cert "C=DE, O=Example, CN=example.com"
Jan  3 18:09:09 obsigna charon: 15[CFG]   using trusted ca certificate "C=DE, O=Example, CN=example.com CA"
Jan  3 18:09:09 obsigna charon: 15[CFG] checking certificate status of "C=DE, O=Example, CN=example.com"
Jan  3 18:09:09 obsigna charon: 15[CFG] certificate status is not available
Jan  3 18:09:09 obsigna charon: 15[CFG]   reached self-signed root ca with a path length of 0
Jan  3 18:09:09 obsigna charon: 15[CFG]   using trusted certificate "C=DE, O=Example, CN=example.com"
Jan  3 18:09:09 obsigna charon: 15[IKE] authentication of 'C=DE, O=Example, CN=example.com' with RSA_EMSA_PKCS1_SHA2_256 successful
Jan  3 18:09:09 obsigna charon: 15[IKE] IKE_SA IKEv2-Tunnel[1] established between 192.168.2.1[C=DE, O=Example, CN=ipsec-clients.example.com]...11.22.33.44[C=DE, O=Example, CN=example.com]
Jan  3 18:09:09 obsigna charon: 15[IKE] scheduling reauthentication in 9886s
Jan  3 18:09:09 obsigna charon: 15[IKE] maximum IKE_SA lifetime 10426s
Jan  3 18:09:09 obsigna charon: 15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan  3 18:09:09 obsigna charon: 15[IKE] CHILD_SA IKEv2-Tunnel{1} established with SPIs ce7e450a_i cebca5a5_o and TS 192.168.2.0/24 === 192.168.1.0/24
Jan  3 18:09:09 obsigna charon: 15[IKE] received AUTH_LIFETIME of 10107s, scheduling reauthentication in 9567s
Jan  3 18:09:33 obsigna charon: 15[IKE] sending keep alive to 11.22.33.44[4500]
Jan  3 18:09:53 obsigna charon: 13[IKE] sending keep alive to 11.22.33.44[4500]
```
_On the VPN-Service machine (UTC)_


```
Jan  3 20:08:56 aws charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, FreeBSD 10.3-RELEASE-p15, amd64)
Jan  3 20:08:56 aws charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
Jan  3 20:08:56 aws charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Jan  3 20:08:56 aws charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Jan  3 20:08:56 aws charon: 00[CFG]   loaded ca certificate "C=DE, O=Example, CN=example.com CA" from '/usr/local/etc/ipsec.d/cacerts/ipsec-ca-cert.pem'
Jan  3 20:08:56 aws charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Jan  3 20:08:56 aws charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Jan  3 20:08:56 aws charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Jan  3 20:08:56 aws charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Jan  3 20:08:56 aws charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Jan  3 20:08:56 aws charon: 00[CFG]   loaded IKE secret for %any
Jan  3 20:08:56 aws charon: 00[CFG]   loaded RSA private key from '/usr/local/etc/ipsec.d/private/ipsec-service-key.pem'
Jan  3 20:08:56 aws charon: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
Jan  3 20:08:56 aws charon: 00[JOB] spawning 16 worker threads
Jan  3 20:08:56 aws charon: 14[CFG] received stroke: add connection 'IKEv2-Tunnel'
Jan  3 20:08:56 aws charon: 14[CFG]   loaded certificate "C=DE, O=Example, CN=example.com" from 'ipsec-service-cert.pem'
Jan  3 20:08:56 aws charon: 14[CFG]   loaded certificate "C=DE, O=Example, CN=ipsec-clients.example.com" from 'ipsec-clients-cert.pem'
Jan  3 20:08:56 aws charon: 14[CFG] added configuration 'IKEv2-Tunnel'
Jan  3 20:09:11 aws charon: 13[NET] received packet: from 44.33.22.11[47442] to 192.168.1.1[500] (1156 bytes)
Jan  3 20:09:11 aws charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan  3 20:09:11 aws charon: 13[IKE] 44.33.22.11 is initiating an IKE_SA
Jan  3 20:09:11 aws charon: 13[IKE] local host is behind NAT, sending keep alives
Jan  3 20:09:11 aws charon: 13[IKE] remote host is behind NAT
Jan  3 20:09:11 aws charon: 13[IKE] sending cert request for "C=DE, O=Example, CN=example.com CA"
Jan  3 20:09:11 aws charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jan  3 20:09:11 aws charon: 13[NET] sending packet: from 192.168.1.1[500] to 44.33.22.11[47442] (617 bytes)
Jan  3 20:09:12 aws charon: 06[NET] received packet: from 44.33.22.11[54568] to 192.168.1.1[4500] (1236 bytes)
Jan  3 20:09:12 aws charon: 06[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
Jan  3 20:09:12 aws charon: 06[ENC] received fragment #1 of 2, waiting for complete IKE message
Jan  3 20:09:12 aws charon: 08[NET] received packet: from 44.33.22.11[54568] to 192.168.1.1[4500] (436 bytes)
Jan  3 20:09:12 aws charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
Jan  3 20:09:12 aws charon: 08[ENC] received fragment #2 of 2, reassembling fragmented IKE message
Jan  3 20:09:12 aws charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Jan  3 20:09:12 aws charon: 08[IKE] received cert request for "C=DE, O=Example, CN=example.com CA"
Jan  3 20:09:12 aws charon: 08[IKE] received end entity cert "C=DE, O=Example, CN=ipsec-clients.example.com"
Jan  3 20:09:12 aws charon: 08[CFG] looking for peer configs matching 192.168.1.1[C=DE, O=Example, CN=example.com]...44.33.22.11[C=DE, O=Example, CN=ipsec-clients.example.com]
Jan  3 20:09:12 aws charon: 08[CFG] selected peer config 'IKEv2-Tunnel'
Jan  3 20:09:12 aws charon: 08[CFG]   using trusted ca certificate "C=DE, O=Example, CN=example.com CA"
Jan  3 20:09:12 aws charon: 08[CFG] checking certificate status of "C=DE, O=Example, CN=ipsec-clients.example.com"
Jan  3 20:09:12 aws charon: 08[CFG] certificate status is not available
Jan  3 20:09:12 aws charon: 08[CFG]   reached self-signed root ca with a path length of 0
Jan  3 20:09:12 aws charon: 08[CFG]   using trusted certificate "C=DE, O=Example, CN=ipsec-clients.example.com"
Jan  3 20:09:12 aws charon: 08[IKE] authentication of 'C=DE, O=Example, CN=ipsec-clients.example.com' with RSA_EMSA_PKCS1_SHA2_256 successful
Jan  3 20:09:12 aws charon: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan  3 20:09:12 aws charon: 08[IKE] authentication of 'C=DE, O=Example, CN=example.com' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Jan  3 20:09:12 aws charon: 08[IKE] IKE_SA IKEv2-Tunnel[1] established between 192.168.1.1[C=DE, O=Example, CN=example.com]...44.33.22.11[C=DE, O=Example, CN=ipsec-clients.example.com]
Jan  3 20:09:12 aws charon: 08[IKE] scheduling reauthentication in 10107s
Jan  3 20:09:12 aws charon: 08[IKE] maximum IKE_SA lifetime 10647s
Jan  3 20:09:12 aws charon: 08[IKE] sending end entity cert "C=DE, O=Example, CN=example.com"
Jan  3 20:09:12 aws charon: 08[IKE] CHILD_SA IKEv2-Tunnel{1} established with SPIs cebca5a5_i ce7e450a_o and TS 192.168.1.0/24 === 192.168.2.0/24
Jan  3 20:09:12 aws charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]
Jan  3 20:09:12 aws charon: 08[ENC] splitting IKE message with length of 1376 bytes into 2 fragments
Jan  3 20:09:12 aws charon: 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Jan  3 20:09:12 aws charon: 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Jan  3 20:09:12 aws charon: 08[NET] sending packet: from 192.168.1.1[4500] to 44.33.22.11[54568] (1236 bytes)
Jan  3 20:09:12 aws charon: 08[NET] sending packet: from 192.168.1.1[4500] to 44.33.22.11[54568] (212 bytes)
```


----------

