Strongswan ipsec < – > iPhone，不能访问局域网

我试图用iPhone连接到我的局域网，使用思科IPsec VPN连接。我可以连接到VPN，但我无法访问任何LAN设备。

硬件软件：

Strongswan 5.0.4，在路由器上运行 – 华硕RT-AC66U固件：3.0.0.4.374.34_2（Merlin build），asuswrt软件
iPhone（客户端）

networking信息：

路由器（=服务器）公网IP：86.xxx，私网ip：192.168.2.1
iPhone公共IP：46.xxx

networkingscheme，请参阅图像： https ： //dl.dropboxusercontent.com/u/2261256/forums/ipsec/IPsec_diagram.png（我已经将虚拟IP更改为10.11.0.0/24）

ipsec.conf文件：

conn %default keyexchange=ikev1 authby=xauthrsasig xauth=server conn ios left=%defaultroute leftsubnet=0.0.0.0/0 leftcert=serverLupoCert.pem leftfirewall=yes right=%any rightsubnet=10.11.0.0/24 rightsourceip=10.11.0.0/24 auto=add rightcert=clientLupoCert.pem

ip -4为：

 1: lo: <LOOPBACK,MULTICAST,UP,10000> mtu 16436 qdisc noqueue inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000 inet 86.xxx/24 brd 86.xx255 scope global eth0 6: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue inet 192.168.2.1/24 brd 192.168.2.255 scope global br0 7: tun21: <POINTOPOINT,MULTICAST,NOARP,PROMISC,UP,10000> mtu 1500 qdisc pfifo_fast qlen 100 inet 10.8.2.1 peer 10.8.2.2/32 scope global tun21 8: tun11: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc pfifo_fast qlen 100 inet 10.8.0.6 peer 10.8.0.5/32 scope global tun11

（tun21，tun11来自OpenVPN服务器，它也在路由器上运行 – 一旦获得IPsec工作，它将删除它）

iptables-save命令：

 # Generated by iptables-save v1.3.8 on Fri Nov 15 20:55:26 2013 *nat :PREROUTING ACCEPT [17927:1127507] :POSTROUTING ACCEPT [704:67870] :OUTPUT ACCEPT [703:67443] :LOCALSRV - [0:0] :VSERVER - [0:0] :VUPNP - [0:0] :YADNS - [0:0] -A PREROUTING -p tcp -m tcp --dport 1194 -j ACCEPT -A PREROUTING -d 86.xxx -j VSERVER -A POSTROUTING -s 192.168.2.0/255.255.255.0 -o tun11 -j MASQUERADE -A POSTROUTING -s ! 86.xxx -o eth0 -j MASQUERADE -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE -A VSERVER -p tcp -m tcp --dport 1184 -j DNAT --to-destination 192.168.2.100:1194 -A VSERVER -p udp -m udp --dport 1184 -j DNAT --to-destination 192.168.2.100:1194 -A VSERVER -j VUPNP -A VUPNP -p udp -m udp --dport 49691 -j DNAT --to-destination 192.168.2.11:16402 COMMIT # Completed on Fri Nov 15 20:55:26 2013 # Generated by iptables-save v1.3.8 on Fri Nov 15 20:55:26 2013 *mangle :PREROUTING ACCEPT [26923:1984100] :INPUT ACCEPT [7606:841647] :FORWARD ACCEPT [18118:1006712] :OUTPUT ACCEPT [5967:2717306] :POSTROUTING ACCEPT [8396:2870974] -A PREROUTING -d 86.xxx -i ! eth0 -j MARK --set-mark 0xd001 COMMIT # Completed on Fri Nov 15 20:55:26 2013 # Generated by iptables-save v1.3.8 on Fri Nov 15 20:55:26 2013 *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [5912:2703854] :FUPNP - [0:0] :PControls - [0:0] :logaccept - [0:0] :logdrop - [0:0] -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -i tun11 -j ACCEPT -A INPUT -i tun21 -j ACCEPT -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT -A INPUT -m state --state INVALID -j logdrop -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -m state --state NEW -j ACCEPT -A INPUT -i br0 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8082 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT -A INPUT -p gre -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -j logdrop -A FORWARD -i tun11 -j ACCEPT -A FORWARD -i tun21 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i ! br0 -o eth0 -j logdrop -A FORWARD -m state --state INVALID -j logdrop -A FORWARD -i br0 -o br0 -j ACCEPT -A FORWARD -i eth0 -p icmp -j DROP -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT -A FORWARD -i br0 -j ACCEPT -A FUPNP -d 192.168.2.11 -p udp -m udp --dport 16402 -j ACCEPT -A PControls -j ACCEPT -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options -A logaccept -j ACCEPT -A logdrop -m state --state NEW -j LOG --log-prefix "DROP" --log-tcp-sequence --log-tcp-options --log-ip-options -A logdrop -j DROP COMMIT # Completed on Fri Nov 15 20:55:26 2013

Strongswan日志（日志级别1）：

 Nov 15 20:38:38 00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips) Nov 15 20:38:38 00[LIB] openssl FIPS mode(0) unavailable Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol Nov 15 20:38:38 00[CFG] attr-sql plugin: database URI not set Nov 15 20:38:38 00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned NULL Nov 15 20:38:38 00[CFG] disabling load-tester plugin, not configured Nov 15 20:38:38 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL Nov 15 20:38:38 00[CFG] sql plugin: database URI not set Nov 15 20:38:38 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL Nov 15 20:38:38 00[CFG] loaded 0 RADIUS server configurations Nov 15 20:38:38 00[CFG] HA config misses local/remote address Nov 15 20:38:38 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL Nov 15 20:38:38 00[CFG] coupling file path unspecified Nov 15 20:38:38 00[LIB] plugin 'coupling': failed to load - coupling_plugin_create returned NULL Nov 15 20:38:38 00[CFG] loading ca certificates from '/opt/etc/ipsec.d/cacerts' Nov 15 20:38:38 00[CFG] loaded ca certificate "C=SI, O=Lupo, CN=86.xxx" from '/opt/etc/ipsec.d/cacerts/caLupoCert.pem' Nov 15 20:38:38 00[CFG] loading aa certificates from '/opt/etc/ipsec.d/aacerts' Nov 15 20:38:38 00[CFG] loading ocsp signer certificates from '/opt/etc/ipsec.d/ocspcerts' Nov 15 20:38:38 00[CFG] loading attribute certificates from '/opt/etc/ipsec.d/acerts' Nov 15 20:38:38 00[CFG] loading crls from '/opt/etc/ipsec.d/crls' Nov 15 20:38:38 00[CFG] loading secrets from '/opt/etc/ipsec.secrets' Nov 15 20:38:39 00[CFG] loaded RSA private key from '/opt/etc/ipsec.d/private/serverLupoKey.pem' Nov 15 20:38:39 00[CFG] loaded EAP secret for lupo Nov 15 20:38:39 00[DMN] loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity Nov 15 20:38:39 00[JOB] spawning 16 worker threads Nov 15 20:38:39 11[CFG] received stroke: add connection 'ios' Nov 15 20:38:39 11[CFG] left nor right host is our side, assuming left=local Nov 15 20:38:39 11[CFG] adding virtual IP address pool 10.11.0.0/24 Nov 15 20:38:39 11[CFG] loaded certificate "C=SI, O=Lupo, CN=86.xxx" from 'serverLupoCert.pem' Nov 15 20:38:39 11[CFG] id '%any' not confirmed by certificate, defaulting to 'C=SI, O=Lupo, CN=86.xxx' Nov 15 20:38:39 11[CFG] loaded certificate "C=SI, O=Lupo, CN=clientLupo" from 'clientLupoCert.pem' Nov 15 20:38:39 11[CFG] id '%any' not confirmed by certificate, defaulting to 'C=SI, O=Lupo, CN=clientLupo' Nov 15 20:38:39 11[CFG] added configuration 'ios' Nov 15 20:38:41 13[NET] received packet: from 46.xxx[500] to 86.xxx[500] (668 bytes) Nov 15 20:38:41 13[ENC] parsed ID_PROT request 0 [ SA VVVVVVVVVVVVVV ] Nov 15 20:38:41 13[IKE] received NAT-T (RFC 3947) vendor ID Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Nov 15 20:38:41 13[IKE] received XAuth vendor ID Nov 15 20:38:41 13[IKE] received Cisco Unity vendor ID Nov 15 20:38:41 13[IKE] received FRAGMENTATION vendor ID Nov 15 20:38:41 13[IKE] received DPD vendor ID Nov 15 20:38:41 13[IKE] 46.xxx is initiating a Main Mode IKE_SA Nov 15 20:38:41 13[ENC] generating ID_PROT response 0 [ SA VVV ] Nov 15 20:38:41 13[NET] sending packet: from 86.xxx[500] to 46.xxx[500] (136 bytes) Nov 15 20:38:41 14[NET] received packet: from 46.xxx[500] to 86.xxx[500] (292 bytes) Nov 15 20:38:41 14[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Nov 15 20:38:41 14[IKE] sending cert request for "C=SI, O=Lupo, CN=86.xxx" Nov 15 20:38:41 14[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ] Nov 15 20:38:41 14[NET] sending packet: from 86.xxx[500] to 46.xxx[500] (371 bytes) Nov 15 20:38:42 12[NET] received packet: from 46.xxx[500] to 86.xxx[500] (1180 bytes) Nov 15 20:38:42 12[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ] Nov 15 20:38:42 12[IKE] ignoring certificate request without data Nov 15 20:38:42 12[IKE] received end entity cert "C=SI, O=Lupo, CN=clientLupo" Nov 15 20:38:42 12[CFG] looking for XAuthInitRSA peer configs matching 86.xxx..46.xxx[C=SI, O=Lupo, CN=clientLupo] Nov 15 20:38:42 12[CFG] selected peer config "ios" Nov 15 20:38:42 12[CFG] using trusted ca certificate "C=SI, O=Lupo, CN=86.xxx" Nov 15 20:38:42 12[CFG] checking certificate status of "C=SI, O=Lupo, CN=clientLupo" Nov 15 20:38:42 12[CFG] certificate status is not available Nov 15 20:38:42 12[CFG] reached self-signed root ca with a path length of 0 Nov 15 20:38:42 12[CFG] using trusted certificate "C=SI, O=Lupo, CN=clientLupo" Nov 15 20:38:42 12[IKE] authentication of 'C=SI, O=Lupo, CN=clientLupo' with RSA successful Nov 15 20:38:42 12[IKE] authentication of 'C=SI, O=Lupo, CN=86.xxx' (myself) successful Nov 15 20:38:42 12[IKE] sending end entity cert "C=SI, O=Lupo, CN=86.xxx" Nov 15 20:38:42 12[ENC] generating ID_PROT response 0 [ ID CERT SIG ] Nov 15 20:38:42 12[NET] sending packet: from 86.xxx[500] to 46.xxx[500] (1212 bytes) Nov 15 20:38:42 12[ENC] generating TRANSACTION request 561743567 [ HASH CP ] Nov 15 20:38:42 12[NET] sending packet: from 86.xxx[500] to 46.xxx[500] (76 bytes) Nov 15 20:38:42 11[NET] received packet: from 46.xxx[500] to 86.xxx[500] (92 bytes) Nov 15 20:38:42 11[ENC] parsed TRANSACTION response 561743567 [ HASH CP ] Nov 15 20:38:42 11[IKE] XAuth authentication of 'lupo' successful Nov 15 20:38:42 11[ENC] generating TRANSACTION request 274787051 [ HASH CP ] Nov 15 20:38:42 11[NET] sending packet: from 86.xxx[500] to 46.xxx[500] (76 bytes) Nov 15 20:38:42 13[NET] received packet: from 46.xxx[500] to 86.xxx[500] (76 bytes) Nov 15 20:38:42 13[ENC] parsed TRANSACTION response 274787051 [ HASH CP ] Nov 15 20:38:42 13[IKE] IKE_SA ios[1] established between 86.xxx[C=SI, O=Lupo, CN=86.xxx]...46.xxx[C=SI, O=Lupo, CN=clientLupo] Nov 15 20:38:42 13[IKE] scheduling reauthentication in 10255s Nov 15 20:38:42 13[IKE] maximum IKE_SA lifetime 10795s Nov 15 20:38:42 12[NET] received packet: from 46.xxx[500] to 86.xxx[500] (172 bytes) Nov 15 20:38:42 12[ENC] unknown attribute type (28683) Nov 15 20:38:42 12[ENC] parsed TRANSACTION request 3928555748 [ HASH CP ] Nov 15 20:38:42 12[IKE] peer requested virtual IP %any Nov 15 20:38:42 12[CFG] assigning new lease to 'lupo' Nov 15 20:38:42 12[IKE] assigning virtual IP 10.11.0.1 to peer 'lupo' Nov 15 20:38:42 12[ENC] generating TRANSACTION response 3928555748 [ HASH CP ] Nov 15 20:38:42 12[NET] sending packet: from 86.xxx[500] to 46.xxx[500] (76 bytes) Nov 15 20:38:43 11[NET] received packet: from 46.xxx[500] to 86.xxx[500] (300 bytes) Nov 15 20:38:43 11[ENC] parsed QUICK_MODE request 1285665545 [ HASH SA No ID ID ] Nov 15 20:38:43 11[ENC] generating QUICK_MODE response 1285665545 [ HASH SA No ID ID ] Nov 15 20:38:43 11[NET] sending packet: from 86.xxx[500] to 46.xxx[500] (172 bytes) Nov 15 20:38:43 12[NET] received packet: from 46.xxx[500] to 86.xxx[500] (60 bytes) Nov 15 20:38:43 12[ENC] parsed QUICK_MODE request 1285665545 [ HASH ] Nov 15 20:38:43 12[IKE] CHILD_SA ios{1} established with SPIs cc71b640_i 052f82c7_o and TS 0.0.0.0/0 === 10.11.0.1/32 Nov 15 20:39:05 13[CFG] received stroke: initiate 'ios' Nov 15 20:39:05 14[ENC] generating QUICK_MODE request 814387936 [ HASH SA No ID ID ] Nov 15 20:39:05 14[NET] sending packet: from 86.xxx[500] to 46.xxx[500] (236 bytes) Nov 15 20:39:06 11[NET] received packet: from 46.xxx[500] to 86.xxx[500] (172 bytes) Nov 15 20:39:06 11[ENC] parsed QUICK_MODE response 814387936 [ HASH SA No ID ID ] Nov 15 20:39:06 11[IKE] CHILD_SA ios{2} established with SPIs c32955c0_i 0a682529_o and TS 0.0.0.0/0 === 0.0.0.0/0 Nov 15 20:39:06 11[ENC] generating QUICK_MODE request 814387936 [ HASH ] Nov 15 20:39:06 11[NET] sending packet: from 86.xxx[500] to 46.xxx[500] (60 bytes) Nov 15 20:39:06 16[KNL] creating acquire job for policy 86.xxx/32 === 46.xxx/32 with reqid {2} Nov 15 20:39:06 12[CFG] trap not found, unable to acquire reqid 2 Nov 15 20:39:36 16[KNL] creating acquire job for policy 86.xxx/32 === 46.xxx/32 with reqid {2} Nov 15 20:39:36 11[CFG] trap not found, unable to acquire reqid 2

这是路由问题还是可能strongswan没有正确编译或什么？

ipsec状态 ：

 Status of IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips): uptime: 15 seconds, since Nov 16 11:57:57 2013 malloc: sbrk 180224, mmap 0, used 176472, free 3752 worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity Virtual IP pools (size/online/offline): 10.11.0.0/24: 254/0/0 Listening IP addresses: 86.xxx 192.168.2.1 10.8.2.1 10.8.0.6 Connections: ios: %any...%any IKEv1 ios: local: [C=SI, O=HisaLupo, CN=86.xxx] uses public key authentication ios: cert: "C=SI, O=HisaLupo, CN=86.xxx" ios: remote: [C=SI, O=HisaLupo, CN=clientLupo] uses public key authentication ios: cert: "C=SI, O=HisaLupo, CN=clientLupo" ios: remote: uses XAuth authentication: any ios: child: 0.0.0.0/0 === 10.11.0.0/24 TUNNEL Security Associations (0 up, 0 connecting): none