Hej,
now that MR-1 has appeared, I wanted to ask when MR-2 will appear? The problems and instabilities of IPSec in v17 (especially in connection with V16.5) are very annoying.
This thread was automatically locked due to age.
Hej,
now that MR-1 has appeared, I wanted to ask when MR-2 will appear? The problems and instabilities of IPSec in v17 (especially in connection with V16.5) are very annoying.
Just a quick update. I've been working with the GES team, but so far no changes. I was able to upgrade to MR3 and they got the tunnel to establish. It ran for almost a week and then started disconnecting every few hours. High availability completely breaks the tunnel.
The thing that still seems to work, even though it shouldn't, is that if I switch the ipsec profile from Main Mode to Aggressive Mode the tunnel becomes more stable and will only disconnect about once a day rather than every few hours. This is strange because the ASA on the other end is set to Main Mode, and the vpn profile is not even supposed to be compatible with Aggressive Mode. It actually makes the selection list on tunnel profile blank. So this appears to be a definite bug. We're discussing switching back to Cisco. This issue has become a deal breaker for us.
Anyone else had any luck?
We're in the same boat. Not an ASA but connecting to a Cisco Router at HQ. Disconnects multiple times a day. In our case the tunnel loses some of it's SA's that get established. Out of 9 SA's that are part of the tunnel only one or two show green in the vpn connection and the site goes down. A reconnect will re-establish it, but what a pain in the butt.
If anyone as a rock solid VPN connection to a cisco device I would love to know what configuration you're using.
-Scott
Ryan,
Out of curiosity, do you have overlapping networks between local and remote side of the ipsec connection by chance? For for example:
Lets say at the branch office where the sophos is I've got a 192.168.100.X/24 as the local LAN subnet that's behind the XG. Then on the remote side of the ipsec(cisco at HQ) we've got a 192.168.0.0/16 setup on the cisco. I was just wondering if there's an issue with those overlapping subnets on either end of the connection. I've seen some posts on some of the Strongswan boards about this, but nothing that mentions that the SA's drop off, more of routing issues than anything else.
Thanks,
-Scott
The problem is many of use were waiting eagerly for v17 BECAUSE they brought in Strongswan with IKEv2 - a requirement for route-based tunneling and as such for HA tunnels (to Azure in my case). The only "downgrade" I'll consider, if this doesn't get worked out completely, is to pull the XG "down" from the rack and put something else in its place.
Nothing like that as far as I can tell. Some of our internal subnets do overlap with subnets that that company on the other end uses internally, but none of those are in this vpn profile. But because of that overlap we do have to nat everything on our end. I originally thought something with the nat'ing might be the cause, but after seeing so many others having the same issue that doesn't seem to be the case. But GES has looked over the nat and subnets and doesn't see any issues with the config as far as those are concerned.
The sad thing is that I flew out to our datacenter (it's on the other side of the country) fully prepared to bite the bullet and downgrade. Support talked me out of it and said that all of these issues should be fixed if I could just upgrade to MR3. I upgraded, they got stuff working, and I thought things were good... Until it stopped working again.
I know your comment was in reply to Matt, but I will reply as well. :-) yes I've seen this doc before. The only thing we're not doing on the cisco side of the config is that our cisco guy on my team has the ipsec connection setup in transport mode rather than tunnel. Not sure if that matters. I'm hoping dna will join in this discussion. (I do have a case open that was just escalated to Level 2) about this.
-Scott
Yeah we've kicked that idea around. I get nervous doing something like flashing a system if I'm not standing next to the thing ready to plug into it. I would be happy if Sophos would put out a downgrade option that just kept basic info like network settings intact. Our business runs 24/7 and we pull in a lot of realtime data from SCADA systems over this vpn. So just the downtime required for a downgrade is what we've been trying to avoid. If something went wrong with the downgrade process, the couple of grand for a trip out would probably be worth it to avoid as much downtime as possible. Everything on our network is set up for redundancy. Right now the Sophos is the only thing without HA. We've invested a lot of money into buying things that are supposed to prevent outages, so it's frustrating when one of those things is what's forcing us to shut down.
Here's what support has sent me. I've already checked with the other end and Aggressive Mode is not in use. I am still going to try to get support in on a remote session to look at their side just to fully rule it out. Are any of you able to look at your logs and see if the XG "thinks" it's receiving Aggressive Mode messages from the other end? One of the things that has been extremely strange about all of this from the beginning is that if I switch the ipsec profile to aggressive mode the tunnel will actually stay up longer, even though the other end is set to use Main Mode. Also, on the XG if aggressive mode is selected you aren't supposed to be able to use a PSK, but that is exactly what I have set. No clue. The whole thing just keeps getting stranger.
Hello Ryan,
Thanks for the notification.
First off I have found the reason why Aggressive mode works better, and thats because the other side is set to Aggressive mode.
2018-01-25 17:30:28 07[NET] <69> received packet: from <ASA IP>[500] to <XG IP>[500] (332 bytes)
2018-01-25 17:30:28 07[ENC] <69> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V ]
2018-01-25 17:30:28 07[IKE] <69> received Cisco Unity vendor ID
2018-01-25 17:30:28 07[IKE] <69> received XAuth vendor ID
2018-01-25 17:30:28 07[IKE] <69> received NAT-T (RFC 3947) vendor ID
2018-01-25 17:30:28 07[IKE] <69> received FRAGMENTATION vendor ID
2018-01-25 17:30:28 07[IKE] <69><ASA IP> is initiating a Aggressive Mode IKE_SA
2018-01-25 17:30:28 07[IKE] <69> Aggressive Mode PSK disabled for security reasons
2018-01-25 17:30:28 07[ENC] <69> generating INFORMATIONAL_V1 request 2309825510 [ N(AUTH_FAILED) ]
2018-01-25 17:30:28 07[NET] <69> sending packet: from <XG IP>[500] to<ASA IP>[500] (56 bytes)
2018-01-25 17:30:36 29[ENC] <70> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V ]
2018-01-25 17:30:36 29[IKE] <70> received Cisco Unity vendor ID
2018-01-25 17:30:36 29[IKE] <70> received XAuth vendor ID
2018-01-25 17:30:36 29[IKE] <70> received NAT-T (RFC 3947) vendor ID
2018-01-25 17:30:36 29[IKE] <70> received FRAGMENTATION vendor ID
2018-01-25 17:30:36 29[IKE] <70><ASA IP> is initiating a Aggressive Mode IKE_SA
2018-01-25 17:30:36 29[IKE] <70> Aggressive Mode PSK disabled for security reasons
2018-01-25 17:30:36 29[ENC] <70> generating INFORMATIONAL_V1 request 2693164571 [ N(AUTH_FAILED) ]
2018-01-25 17:30:36 29[NET] <70> sending packet: from <XG IP>[500] to <ASA IP>[500] (56 bytes)
2018-01-25 17:30:44 27[NET] <71> received packet: from <ASA IP>[500] to <XG IP>[500] (332 bytes)
2018-01-25 17:30:44 27[ENC] <71> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V ]
2018-01-25 17:30:44 27[IKE] <71> received Cisco Unity vendor ID
2018-01-25 17:30:44 27[IKE] <71> received XAuth vendor ID
2018-01-25 17:30:44 27[IKE] <71> received NAT-T (RFC 3947) vendor ID
2018-01-25 17:30:44 27[IKE] <71> received FRAGMENTATION vendor ID
2018-01-25 17:30:44 27[IKE] <71> <ASA IP> is initiating a Aggressive Mode IKE_SA
2018-01-25 17:30:44 27[IKE] <71> Aggressive Mode PSK disabled for security reasons
2018-01-25 17:30:44 27[ENC] <71> generating INFORMATIONAL_V1 request 2288970022 [ N(AUTH_FAILED) ]
During this process of the Cisco initiating the connection, it is failing due to authentication issue:
generating INFORMATIONAL_V1 request 2288970022 [ N(AUTH_FAILED)
The XG has Aggressive mode set to disabled when PSK is used. For Aggressive mode you should be using a RSA or certificate key to get it to work.
We then receive delete requests for the various child SAs:
2018-01-25 17:31:00 25[NET] <<Tunnel Name>2-1|32> received packet: from <ASA IP>[500] to <XG IP>[500] (76 bytes)
2018-01-25 17:31:00 25[ENC] <<Tunnel Name>2-1|32> parsed INFORMATIONAL_V1 request 837816341 [ HASH D ]
2018-01-25 17:31:00 25[IKE] <<Tunnel Name>2-1|32> received DELETE for ESP CHILD_SA with SPI 91a9b401
2018-01-25 17:31:00 25[IKE] <<Tunnel Name>2-1|32> closing CHILD_SA <Tunnel Name>2-5{113} with SPIs cb6a5a93_i (84517293 bytes) 91a9b401_o (6792306 bytes) and TS 192.168.112.29/32 === 161.224.97.0/24
We then close the connection down.
The below shows the initiation process of the tunnel when initiated from the Cisco:
2018-01-25 17:33:12 17[NET] <77> received packet: from <ASA IP>[500] to <XG IP>[500] (516 bytes)
2018-01-25 17:33:12 17[ENC] <77> parsed ID_PROT request 0 [ SA V V V V ]
2018-01-25 17:33:12 17[IKE] <77> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2018-01-25 17:33:12 17[IKE] <77> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
2018-01-25 17:33:12 17[IKE] <77> received NAT-T (RFC 3947) vendor ID
2018-01-25 17:33:12 17[IKE] <77> received FRAGMENTATION vendor ID
2018-01-25 17:33:12 17[IKE] <77> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-25 17:33:12 17[ENC] <77> generating ID_PROT response 0 [ SA V V V V ]
2018-01-25 17:33:12 17[NET] <77> sending packet: from <XG IP>[500] to <ASA IP>[500] (164 bytes)
2018-01-25 17:33:12 29[NET] <77> received packet: from <ASA IP>[500] to <XG IP>[500] (304 bytes)
2018-01-25 17:33:12 29[ENC] <77> parsed ID_PROT request 0 [ KE No V V V V NAT-D NAT-D ]
2018-01-25 17:33:12 29[IKE] <77> received Cisco Unity vendor ID
2018-01-25 17:33:12 29[IKE] <77> received XAuth vendor ID
2018-01-25 17:33:12 29[ENC] <77> received unknown vendor ID: 93:77:2c:ae:ff:07:64:fe:e2:a4:84:d2:15:ba:ff:e0
2018-01-25 17:33:12 29[ENC] <77> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
2018-01-25 17:33:12 29[ENC] <77> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2018-01-25 17:33:12 29[NET] <77> sending packet: from <XG IP>[500] to <ASA IP>[500] (244 bytes)
2018-01-25 17:33:12 27[NET] <77> received packet: from <ASA IP>[500] to <XG IP>[500] (92 bytes)
2018-01-25 17:33:12 27[ENC] <77> parsed ID_PROT request 0 [ ID HASH V ]
2018-01-25 17:33:12 27[IKE] <77> received DPD vendor ID
2018-01-25 17:33:12 27[CFG] <77> looking for pre-shared key peer configs matching <XG IP>...<ASA IP>[<ASA IP>]
2018-01-25 17:33:12 27[IKE] <77> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-25 17:33:12 27[ENC] <77> generating INFORMATIONAL_V1 request 1284196984 [ HASH N(AUTH_FAILED) ]
2018-01-25 17:33:12 27[NET] <77> sending packet: from <XG IP>[500] to <ASA IP>[500] (92 bytes)
I would like to bring to your attention 2 lines that are very interesting. It almost seems that there are 2 profiles configured on the Cisco side.
2018-01-25 17:33:12 17[IKE] <77> <ASA IP> is initiating a Main Mode IKE_SA <-- The Cisco is initiating the connection using "Main Mode"
2018-01-25 17:30:28 07[IKE] <69> <ASA IP> is initiating a Aggressive Mode IKE_SA <-- This 1 here earlier is initiating an "Aggressive Mode" connection.
I am not sure whats going on with the above but that has to be looked at.
Now it is unable to reform the tunnel on its own as its failing authentication due to the XG not allowing PSK to be used with "Aggressive Mode" and its initiating "Main Mode". Then when you physically initiate the connection on your side, it works fine. This, again, may be due to the Cisco having multiple profiles configured for the same IPSec tunnel.
You then manually connect the connection which works fine:
2018-01-25 17:53:46 21[CFG] vici initiate '<Tunnel Name>2-20'
2018-01-25 17:53:46 11[IKE] <<Tunnel Name>2-1|115> initiating Aggressive Mode IKE_SA <Tunnel Name>2-1[115] to <ASA IP>
2018-01-25 17:53:46 11[ENC] <<Tunnel Name>2-1|115> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
2018-01-25 17:53:46 11[NET] <<Tunnel Name>2-1|115> sending packet: from <XG IP>[500] to <ASA IP>[500] (420 bytes)
2018-01-25 17:53:46 23[NET] <<Tunnel Name>2-1|115> received packet: from <ASA IP>[500] to <XG IP>[500] (440 bytes)
2018-01-25 17:53:46 23[ENC] <<Tunnel Name>2-1|115> parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V NAT-D NAT-D V V ]
2018-01-25 17:53:46 23[IKE] <<Tunnel Name>2-1|115> received Cisco Unity vendor ID
2018-01-25 17:53:46 23[IKE] <<Tunnel Name>2-1|115> received XAuth vendor ID
2018-01-25 17:53:46 23[IKE] <<Tunnel Name>2-1|115> received DPD vendor ID
2018-01-25 17:53:46 23[IKE] <<Tunnel Name>2-1|115> received NAT-T (RFC 3947) vendor ID
2018-01-25 17:53:46 23[IKE] <<Tunnel Name>2-1|115> received FRAGMENTATION vendor ID
2018-01-25 17:53:46 23[ENC] <<Tunnel Name>2-1|115> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
2018-01-25 17:53:46 23[IKE] <<Tunnel Name>2-1|115> IKE_SA <Tunnel Name>2-1[115] established between <XG IP>[<XG IP>]...<ASA IP>[<ASA IP>]
2018-01-25 17:53:46 23[IKE] <<Tunnel Name>2-1|115> scheduling rekeying in 38277s
2018-01-25 17:53:46 23[IKE] <<Tunnel Name>2-1|115> maximum IKE_SA lifetime 38367s
2018-01-25 17:53:46 23[ENC] <<Tunnel Name>2-1|115> generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
2018-01-25 17:53:46 23[NET] <<Tunnel Name>2-1|115> sending packet: from <XG IP>[500] to <ASA IP>[500] (108 bytes)
2018-01-25 17:53:46 23[ENC] <<Tunnel Name>2-1|115> generating QUICK_MODE request 2453880684 [ HASH SA No ID ID ]
2018-01-25 17:53:46 23[NET] <<Tunnel Name>2-1|115> sending packet: from <XG IP>[500] to <ASA IP>[500] (204 bytes)
2018-01-25 17:53:46 07[NET] <<Tunnel Name>2-1|115> received packet: from <ASA IP>[500] to <XG IP>[500] (172 bytes)
2018-01-25 17:53:46 07[ENC] <<Tunnel Name>2-1|115> parsed QUICK_MODE response 2453880684 [ HASH SA No ID ID ]
2018-01-25 17:53:46 07[IKE] <<Tunnel Name>2-1|115> CHILD_SA <Tunnel Name>2-20{122} established with SPIs c235c5c5_i 2ea9525e_o and TS
I may have found the answer to this myself. Here's what I just sent back to support. This looks like part of the bug/s.
Here’s something else interesting. I switched it back to Main Mode and monitored it with tail -f /log/strongswan.log
The connection established and is currently connected. With Aggressive Mode disabled I did not see any attempts from the ASA using Aggressive Mode.
I also searched the log for the words Main and Aggressive, and it looks like the only time the XG is “thinking” it’s receiving Aggressive Mode initiations from the ASA is when I have set it to Aggressive Mode. Before I switched it to Aggressive Mode there were no Aggressive Mode initiations received, and there haven’t been any since I switched back to Main Mode this morning. It looks like setting it to Aggressive Mode on the XG makes the XG expect to see those packets and so it’s somehow misinterpreting them when the ASA initiates.
If you look at the bottom of this paste you’ll see that those Aggressive Mode initiations started yesterday at exactly the time that I enabled Aggressive Mode on the XG 9:30AM. I emailed you at 9:47AM letting you know that I had switched it to Aggressive Mode. My alert from Solarwinds shows that the tunnel dropped well before that, so the Aggressive Mode initiations were not a cause, but a byproduct of the change. This to me looks like a bug. The XG is misinterpreting these initiations.
2018-01-26 04:15:55 05[IKE] <209> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:16:27 13[IKE] <210> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:16:28 31[IKE] <210> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:17:00 09[IKE] <211> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:17:00 22[IKE] <211> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:17:32 16[IKE] <212> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:17:32 13[IKE] <212> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:18:06 14[IKE] <213> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:18:06 09[IKE] <213> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:18:40 07[IKE] <214> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:18:40 26[IKE] <214> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:19:12 24[IKE] <215> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:19:12 11[IKE] <215> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:19:44 29[IKE] <216> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:19:44 06[IKE] <216> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:20:17 32[IKE] <217> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:20:17 12[IKE] <217> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:20:50 17[IKE] <218> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:20:50 18[IKE] <218> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:21:23 20[IKE] <219> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:21:23 07[IKE] <219> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:21:55 14[IKE] <220> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:21:56 24[IKE] <220> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:22:30 32[IKE] <221> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:22:30 12[IKE] <221> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:23:03 27[IKE] <222> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:23:03 14[IKE] <222> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:23:36 15[IKE] <223> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:23:36 32[IKE] <223> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:24:10 22[IKE] <224> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:24:10 27[IKE] <224> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:24:43 16[IKE] <225> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:24:43 13[IKE] <225> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:25:16 28[IKE] <226> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:25:16 11[IKE] <226> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:25:50 09[IKE] <227> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:25:50 27[IKE] <227> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:26:24 15[IKE] <228> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:26:24 30[IKE] <228> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:26:57 09[IKE] <229> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:26:57 26[IKE] <229> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:27:30 28[IKE] <230> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:27:30 11[IKE] <230> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:28:06 08[IKE] <231> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:28:06 09[IKE] <231> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:28:40 12[IKE] <232> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:28:40 28[IKE] <232> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:29:15 18[IKE] <233> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:29:15 31[IKE] <233> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:29:48 10[IKE] <234> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:29:48 17[IKE] <234> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:30:20 14[IKE] <235> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:30:21 31[IKE] <235> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:30:53 20[IKE] <236> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:30:54 17[IKE] <236> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:31:26 07[IKE] <237> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:31:26 09[IKE] <237> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:31:58 23[IKE] <238> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:31:58 28[IKE] <238> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:32:31 12[IKE] <239> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:32:31 08[IKE] <239> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:33:06 21[IKE] <240> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:33:06 23[IKE] <240> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:33:38 07[IKE] <241> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:33:38 14[IKE] <241> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:34:11 10[IKE] <242> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:34:11 20[IKE] <242> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:34:44 12[IKE] <243> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:34:44 08[IKE] <243> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:35:16 07[IKE] <244> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:35:17 10[IKE] <244> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:35:50 22[IKE] <245> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:35:50 25[IKE] <245> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:36:24 07[IKE] <246> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:36:24 10[IKE] <246> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:36:56 23[IKE] <247> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:36:57 32[IKE] <247> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:37:30 11[IKE] <248> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:37:30 29[IKE] <248> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:38:04 28[IKE] <249> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:38:04 23[IKE] <249> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:38:36 18[IKE] <250> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:38:37 11[IKE] <250> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:39:10 28[IKE] <251> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:39:10 23[IKE] <251> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:39:43 19[IKE] <252> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:39:44 07[IKE] <252> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:40:16 12[IKE] <253> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:40:16 21[IKE] <253> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:40:48 22[IKE] <254> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:40:48 28[IKE] <254> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:41:21 17[IKE] <255> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:41:21 06[IKE] <255> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:41:54 31[IKE] <256> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:41:54 22[IKE] <256> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:42:26 23[IKE] <257> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:42:27 25[IKE] <257> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:43:00 09[IKE] <258> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:43:00 07[IKE] <258> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:43:33 30[IKE] <259> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:43:33 32[IKE] <259> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:44:06 13[IKE] <260> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:44:06 09[IKE] <260> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:44:38 11[IKE] <261> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:44:38 30[IKE] <261> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:45:11 08[IKE] <262> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:45:11 31[IKE] <262> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:45:44 20[IKE] <263> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:45:44 27[IKE] <263> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:46:16 25[IKE] <264> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:46:16 08[IKE] <264> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:46:48 28[IKE] <265> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:46:48 17[IKE] <265> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:47:20 15[IKE] <266> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:47:20 21[IKE] <266> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:47:54 10[IKE] <267> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:47:54 28[IKE] <267> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:48:26 14[IKE] <268> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:48:26 15[IKE] <268> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:48:58 09[IKE] <269> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:48:58 20[IKE] <269> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:49:30 14[IKE] <270> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:49:30 15[IKE] <270> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:50:04 05[IKE] <271> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:50:04 10[IKE] <271> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:50:37 07[IKE] <272> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:50:37 29[IKE] <272> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:51:10 22[IKE] <273> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:51:10 11[IKE] <273> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:51:44 18[IKE] <274> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:51:44 07[IKE] <274> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:52:17 24[IKE] <275> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:52:17 32[IKE] <275> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:52:50 07[IKE] <276> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:52:51 29[IKE] <276> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:53:25 24[IKE] <277> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:53:26 32[IKE] <277> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:53:58 07[IKE] <278> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:53:58 29[IKE] <278> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:54:31 24[IKE] <279> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:54:31 32[IKE] <279> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:55:06 27[IKE] <280> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:55:06 26[IKE] <280> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:55:38 30[IKE] <281> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:55:38 25[IKE] <281> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:56:10 05[IKE] <282> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:56:11 15[IKE] <282> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:56:44 20[IKE] <283> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:56:44 30[IKE] <283> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:57:17 13[IKE] <284> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:57:17 05[IKE] <284> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:57:50 14[IKE] <285> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:57:50 18[IKE] <285> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:58:22 32[IKE] <286> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:58:23 08[IKE] <286> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:58:56 29[IKE] <287> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:58:56 14[IKE] <287> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 04:59:28 13[IKE] <288> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 04:59:28 05[IKE] <288> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:00:00 29[IKE] <289> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:00:01 14[IKE] <289> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:00:33 12[IKE] <290> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:00:33 11[IKE] <290> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:01:06 16[IKE] <291> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:01:06 09[IKE] <291> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:01:38 31[IKE] <292> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:01:38 12[IKE] <292> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:02:10 29[IKE] <293> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:02:11 16[IKE] <293> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:02:44 25[IKE] <294> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:02:45 31[IKE] <294> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:03:17 15[IKE] <295> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:03:17 29[IKE] <295> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:03:50 18[IKE] <296> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:03:50 07[IKE] <296> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:04:23 21[IKE] <297> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:04:23 28[IKE] <297> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:04:56 14[IKE] <298> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:04:56 18[IKE] <298> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:05:28 24[IKE] <299> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:05:28 17[IKE] <299> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:06:01 23[IKE] <300> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:06:01 26[IKE] <300> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:06:33 24[IKE] <301> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:06:33 17[IKE] <301> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:07:06 23[IKE] <303> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:07:06 26[IKE] <303> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:07:41 20[IKE] <304> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:07:41 22[IKE] <304> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:08:15 10[IKE] <305> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:08:15 23[IKE] <305> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:08:47 07[IKE] <306> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:08:47 20[IKE] <306> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:09:21 32[IKE] <307> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:09:21 27[IKE] <307> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:09:53 11[IKE] <308> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:09:53 24[IKE] <308> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:10:26 13[IKE] <309> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:10:26 21[IKE] <309> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:11:01 10[IKE] <310> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:11:01 25[IKE] <310> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:11:33 13[IKE] <311> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:11:33 21[IKE] <311> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:12:06 10[IKE] <313> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:12:06 25[IKE] <313> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:12:41 05[IKE] <314> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:12:41 31[IKE] <314> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:13:13 29[IKE] <315> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:13:13 10[IKE] <315> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:13:46 17[IKE] <316> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:13:46 05[IKE] <316> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:14:21 15[IKE] <317> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:14:21 22[IKE] <317> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:14:53 24[IKE] <318> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:14:54 13[IKE] <318> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:15:26 31[IKE] <319> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:15:26 24[IKE] <319> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:15:59 22[IKE] <320> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:15:59 19[IKE] <320> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:16:31 12[IKE] <321> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:16:31 30[IKE] <321> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:17:04 22[IKE] <322> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:17:04 19[IKE] <322> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:17:36 11[IKE] <323> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:17:36 31[IKE] <323> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:18:11 14[IKE] <324> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:18:11 22[IKE] <324> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:18:14 23[IKE] <325> 12.28.251.138 is initiating a Main Mode IKE_SA
2018-01-26 05:18:43 27[IKE] <326> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:18:43 15[IKE] <326> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:19:16 13[IKE] <327> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:19:16 11[IKE] <327> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:19:48 15[IKE] <328> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:19:49 14[IKE] <328> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:20:21 19[IKE] <329> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:20:21 08[IKE] <329> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:20:53 28[IKE] <330> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:20:53 24[IKE] <330> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:21:26 19[IKE] <331> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:21:26 08[IKE] <331> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:21:58 28[IKE] <332> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:21:59 24[IKE] <332> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:22:31 23[IKE] <333> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:22:31 29[IKE] <333> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:23:04 10[IKE] <334> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:23:04 25[IKE] <334> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:23:36 21[IKE] <335> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:23:36 23[IKE] <335> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:24:08 31[IKE] <336> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:24:09 10[IKE] <336> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:24:41 22[IKE] <337> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:24:41 21[IKE] <337> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:25:13 14[IKE] <338> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:25:13 20[IKE] <338> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:25:46 15[IKE] <339> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:25:46 08[IKE] <339> found 1 matching config, but none allows pre-shared key authentication using Main Mode
2018-01-26 05:26:19 20[IKE] <340> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:26:19 13[IKE] <340> found 1 matching config, but none allows pre-shared key authentication u
2018-01-26 05:26:51 15[IKE] <341> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:26:51 08[IKE] <341> found 1 matching config, but none allows pre-shared key authentication u
2018-01-26 05:27:24 20[IKE] <342> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:27:24 13[IKE] <342> found 1 matching config, but none allows pre-shared key authentication u
2018-01-26 05:27:57 12[IKE] <343> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 05:27:57 15[IKE] <343> found 1 matching config, but none allows pre-shared key authentication u
2018-01-26 07:30:33 30[IKE] <Glenpool-1|185> initiating Main Mode IKE_SA Glenpool-1[346] to 12.206.136.242
2018-01-26 08:08:33 10[IKE] <347> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 08:08:33 29[IKE] <347> found 1 matching config, but none allows pre-shared key authentication u
2018-01-26 08:09:08 17[IKE] <348> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 08:09:08 22[IKE] <348> found 1 matching config, but none allows pre-shared key authentication u
2018-01-26 08:09:40 18[IKE] <349> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 08:09:40 08[IKE] <349> found 1 matching config, but none allows pre-shared key authentication u
2018-01-26 08:10:13 07[IKE] <350> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 08:10:13 15[IKE] <350> found 1 matching config, but none allows pre-shared key authentication u
2018-01-26 08:10:48 12[IKE] <351> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 08:12:05 12[IKE] <352> <ASA IP> is initiating a Main Mode IKE_SA
2018-01-26 08:12:29 14[IKE] <356> <ASA IP> is initiating a Main Mode IKE_SA
SG310_WP01_SFOS 17.0.3 MR-3# grep Aggressive strongswan.log
2018-01-25 09:30:27 22[IKE] <<Tunnel Name>2-1|32> initiating Aggressive Mode IKE_SA <Tunnel Name>2-1[32] to <ASA IP>
2018-01-25 17:30:28 07[IKE] <69> <ASA IP> is initiating a Aggressive Mode IKE_SA
2018-01-25 17:30:28 07[IKE] <69> Aggressive Mode PSK disabled for security reasons
2018-01-25 17:30:36 29[IKE] <70> <ASA IP> is initiating a Aggressive Mode IKE_SA
2018-01-25 17:30:36 29[IKE] <70> Aggressive Mode PSK disabled for security reasons
2018-01-25 17:30:44 27[IKE] <71> <ASA IP> is initiating a Aggressive Mode IKE_SA
2018-01-25 17:30:44 27[IKE] <71> Aggressive Mode PSK disabled for security reasons
2018-01-25 17:30:52 05[IKE] <72> <ASA IP> is initiating a Aggressive Mode IKE_SA
2018-01-25 17:30:52 05[IKE] <72> Aggressive Mode PSK disabled for security reasons
2018-01-25 17:53:46 11[IKE] <<Tunnel Name>2-1|115> initiating Aggressive Mode IKE_SA <Tunnel Name>2-1[115] to <ASA IP>
2018-01-25 20:08:42 06[IKE] <<Tunnel Name>2-1|176> initiating Aggressive Mode IKE_SA <Tunnel Name>2-1[176] to <ASA IP>
2018-01-26 04:08:43 31[IKE] <193> <ASA IP> is initiating a Aggressive Mode IKE_SA
2018-01-26 04:08:43 31[IKE] <193> Aggressive Mode PSK disabled for security reasons
2018-01-26 04:08:51 32[IKE] <194> <ASA IP> is initiating a Aggressive Mode IKE_SA
2018-01-26 04:08:51 32[IKE] <194> Aggressive Mode PSK disabled for security reasons
2018-01-26 04:08:59 05[IKE] <195> <ASA IP> is initiating a Aggressive Mode IKE_SA
2018-01-26 04:08:59 05[IKE] <195> Aggressive Mode PSK disabled for security reasons
2018-01-26 04:09:07 25[IKE] <196> <ASA IP> is initiating a Aggressive Mode IKE_SA
2018-01-26 04:09:07 25[IKE] <196> Aggressive Mode PSK disabled for security reasons
2018-01-26 05:28:11 07[IKE] <<Tunnel Name>2-1|344> initiating Aggressive Mode IKE_SA <Tunnel Name>2-1[344] to <ASA IP>
SG310_WP01_SFOS 17.0.3 MR-3#
Yeah we only use Main Mode too. It's one of those weird things I stumbled on while playing with this. Sometimes when I can't get all of the SA's to come up if I go into the ipsec profile and switch it to aggressive they will all come up. The other end is set to Main Mode. It won't stay stable in Aggressive Mode, but sometimes switching back and forth between the two will get it to run for a full day without a drop. No clue why.
ok, So loaded up MR-5 last night on my XG. After the XG rebooted (after it's update was complete), my vpn tunnel did not successfully come back up all the way. I still had some SA's that were red and the tunnel was not fully up. Now to be fair, this was right after the update was applied and perhaps it was busy doing other things, but that tunnel should of come up "clean and green" after the reboot. So I had to manually disconnect and reconnect my tunnel after the reboot from the firmware upgrade.
That being said, we're no longer seeing all those "Invalid SPI" error messages that we used to either. So I've turned on debugging for strongswan in case the SA's dont re-establish themselves again.
We'll see what happens.
-Scott