Both:conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtr

1. Both:
2. conn %default
3. ikelifetime=60m
4. keylife=20m
5. rekeymargin=3m
6. keyingtries=1
7. authby=secret
8. keyexchange=ikev2
9. mobike=no
10.  
11.  
12. --------------------------------------------------------
13.  
14. Node v5141:
15. conn quicknet-availo
16. left=1.2.3.4
17. leftsubnet=172.16.0.0/16
18. leftid=@v5141
19. leftfirewall=yes
20. right=4.3.2.1
21. rightsubnet=10.0.0.0/8
22. rightid=@v6116
23. forceencaps=yes
24. auto=add
25.  
26. --------------------------------------------------------
27.  
28. Node v6116:
29. conn quicknet-availo
30. left=4.3.2.1
31. leftsubnet=10.0.0.0/8
32. leftid=@v6116
33. leftfirewall=yes
34. right=1.2.3.4
35. rightsubnet=172.16.0.0/16
36. rightid=@v5141
37. forceencaps=yes
38. auto=add
39.  
40. --------------------------------------------------------
41.  
42. root@v5141: ~ #> ipsec statusall
43. Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-61-generic, x86_64):
44. uptime: 79 minutes, since Jul 30 14:33:22 2015
45. malloc: sbrk 2433024, mmap 0, used 346928, free 2086096
46. worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
47. loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock
48. Listening IP addresses:
49. 1.2.3.4
50. Connections:
51. quicknet-availo: 1.2.3.4...4.3.2.1 IKEv2
52. quicknet-availo: local: [v5141] uses pre-shared key authentication
53. quicknet-availo: remote: [v6116] uses pre-shared key authentication
54. quicknet-availo: child: 172.16.0.0/16 === 10.0.0.0/8 TUNNEL
55. Security Associations (1 up, 0 connecting):
56. quicknet-availo[4]: ESTABLISHED 21 minutes ago, 1.2.3.4[v5141]...4.3.2.1[v6116]
57. quicknet-availo[4]: IKEv2 SPIs: fdd39a4062ab8d16_i 9db30a609e063eb7_r*, pre-shared key reauthentication in 33 minutes
58. quicknet-availo[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
59. quicknet-availo{4}: INSTALLED, TUNNEL, ESP in UDP SPIs: ca25ba32_i c9265656_o
60. quicknet-availo{4}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 468 bytes_o (6 pkts, 279s ago), rekeying in 7 minutes
61. quicknet-availo{4}: 172.16.0.0/16 === 10.0.0.0/8
62.  
63. root@v5141: ~ #> ip route list table 220
64. root@v5141: ~ #>
65. root@v5141: ~ #> ip xfrm policy
66. src 10.0.0.0/8 dst 172.16.0.0/16
67. dir fwd priority 1923
68. tmpl src 4.3.2.1 dst 1.2.3.4
69. proto esp reqid 4 mode tunnel
70. src 10.0.0.0/8 dst 172.16.0.0/16
71. dir in priority 1923
72. tmpl src 4.3.2.1 dst 1.2.3.4
73. proto esp reqid 4 mode tunnel
74. src 172.16.0.0/16 dst 10.0.0.0/8
75. dir out priority 1923
76. tmpl src 1.2.3.4 dst 4.3.2.1
77. proto esp reqid 4 mode tunnel
78.  
79. root@v6116: ~ #> ipsec up quicknet-availo
80. initiating IKE_SA quicknet-availo[3] to 1.2.3.4
81. generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
82. sending packet: from 4.3.2.1[500] to 1.2.3.4[500] (1212 bytes)
83. received packet: from 1.2.3.4[500] to 4.3.2.1[500] (440 bytes)
84. parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
85. remote host is behind NAT
86. authentication of 'v6116' (myself) with pre-shared key
87. establishing CHILD_SA quicknet-availo
88. generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
89. sending packet: from 4.3.2.1[4500] to 1.2.3.4[4500] (380 bytes)
90. received packet: from 1.2.3.4[4500] to 4.3.2.1[4500] (220 bytes)
91. parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
92. authentication of 'v5141' with pre-shared key successful
93. IKE_SA quicknet-availo[3] established between 4.3.2.1[v6116]...1.2.3.4[v5141]
94. scheduling reauthentication in 3325s
95. maximum IKE_SA lifetime 3505s
96. CHILD_SA quicknet-availo{3} established with SPIs c98d9ef0_i c7e79260_o and TS 10.0.0.0/8 === 172.16.0.0/16
97. connection 'quicknet-availo' established successfully