Strongswan5.3.5與Android5.0.2(小米)野蠻模式的L2TPoverIPsec的對接

野蠻模式需要改一下strongswan的agg的載荷順序，否則android不認第二條回包

[root@- etc]# cat ipsec.conf

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default

ikelifetime=60m

keylife=20m

rekeymargin=3m

keyingtries=1

keyexchange=ikev1

authby=secret

    aggressive=yes

conn net-net

    type=transport

left=192.168.0.132

leftsubnet=0.0.0.0/0

#leftid=@sun

leftid=@#313233

leftfirewall=yes

    right=192.168.0.124

rightsubnet=0.0.0.0/0

#rightid=@moon

#rightid=192.168.0.124

rightid=@#313233

auto=add

[root@- etc]# cat ipsec.secrets

@#313233 @#313233 : PSK 0saGVsbG8=

Dec 16 17:17:13 06[MGR] checkout IKE_SA

Dec 16 17:17:23 03[NET] received packet: from 192.168.0.124[500] to 192.168.0.132[500]

Dec 16 17:17:23 03[NET] waiting for data on sockets

Dec 16 17:17:23 05[MGR] checkout IKE_SA by message

Dec 16 17:17:23 05[MGR] created IKE_SA (unnamed)[2]

Dec 16 17:17:23 05[NET] <2> received packet: from 192.168.0.124[500] to 192.168.0.132[500] (607 bytes)

Dec 16 17:17:23 05[ENC] <2> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]

Dec 16 17:17:23 05[CFG] <2> looking for an ike config for 192.168.0.132...192.168.0.124

Dec 16 17:17:23 05[CFG] <2> ike config match: 3100 (192.168.0.132 192.168.0.124 IKEv1)

Dec 16 17:17:23 05[CFG] <2>   candidate: 192.168.0.132...192.168.0.124, prio 3100

Dec 16 17:17:23 05[CFG] <2> found matching ike config: 192.168.0.132...192.168.0.124 with prio 3100

Dec 16 17:17:23 05[IKE] <2> received FRAGMENTATION vendor ID

Dec 16 17:17:23 05[IKE] <2> received NAT-T (RFC 3947) vendor ID

Dec 16 17:17:23 05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02 vendor ID

Dec 16 17:17:23 05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID

Dec 16 17:17:23 05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-00 vendor ID

Dec 16 17:17:23 05[IKE] <2> received DPD vendor ID

Dec 16 17:17:23 05[IKE] <2> 192.168.0.124 is initiating a Aggressive Mode IKE_SA

Dec 16 17:17:23 05[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING

Dec 16 17:17:23 05[CFG] <2> selecting proposal:

Dec 16 17:17:23 05[CFG] <2>   no acceptable ENCRYPTION_ALGORITHM found

Dec 16 17:17:23 05[CFG] <2> selecting proposal:

Dec 16 17:17:23 05[CFG] <2>   no acceptable ENCRYPTION_ALGORITHM found

Dec 16 17:17:23 05[CFG] <2> selecting proposal:

Dec 16 17:17:23 05[CFG] <2>   no acceptable ENCRYPTION_ALGORITHM found

Dec 16 17:17:23 05[CFG] <2> selecting proposal:

Dec 16 17:17:23 05[CFG] <2>   no acceptable ENCRYPTION_ALGORITHM found

Dec 16 17:17:23 05[CFG] <2> selecting proposal:

Dec 16 17:17:23 05[CFG] <2>   no acceptable DIFFIE_HELLMAN_GROUP found

Dec 16 17:17:23 05[CFG] <2> selecting proposal:

Dec 16 17:17:23 05[CFG] <2>   no acceptable PSEUDO_RANDOM_FUNCTION found

Dec 16 17:17:23 05[CFG] <2> selecting proposal:

Dec 16 17:17:23 05[CFG] <2>   no acceptable ENCRYPTION_ALGORITHM found

Dec 16 17:17:23 05[CFG] <2> selecting proposal:

Dec 16 17:17:23 05[CFG] <2>   no acceptable ENCRYPTION_ALGORITHM found

Dec 16 17:17:23 05[CFG] <2> selecting proposal:

Dec 16 17:17:23 05[CFG] <2>   no acceptable DIFFIE_HELLMAN_GROUP found

Dec 16 17:17:23 05[CFG] <2> selecting proposal:

Dec 16 17:17:23 05[CFG] <2>   no acceptable PSEUDO_RANDOM_FUNCTION found

Dec 16 17:17:23 05[CFG] <2> selecting proposal:

Dec 16 17:17:23 05[CFG] <2>   no acceptable ENCRYPTION_ALGORITHM found

Dec 16 17:17:23 05[CFG] <2> selecting proposal:

Dec 16 17:17:23 05[CFG] <2>   no acceptable ENCRYPTION_ALGORITHM found

Dec 16 17:17:23 05[CFG] <2> selecting proposal:

Dec 16 17:17:23 05[CFG] <2>   no acceptable ENCRYPTION_ALGORITHM found

Dec 16 17:17:23 05[CFG] <2> selecting proposal:

Dec 16 17:17:23 05[CFG] <2>   no acceptable ENCRYPTION_ALGORITHM found

Dec 16 17:17:23 05[CFG] <2> selecting proposal:

Dec 16 17:17:23 05[CFG] <2>   no acceptable ENCRYPTION_ALGORITHM found

Dec 16 17:17:23 05[CFG] <2> selecting proposal:

Dec 16 17:17:23 05[CFG] <2>   no acceptable ENCRYPTION_ALGORITHM found

Dec 16 17:17:23 05[CFG] <2> selecting proposal:

Dec 16 17:17:23 05[CFG] <2>   proposal matches

Dec 16 17:17:23 01[JOB] next event in 29s 993ms, waiting

Dec 16 17:17:23 05[CFG] <2> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024

Dec 16 17:17:23 05[CFG] <2> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP

Dec 16 17:17:23 05[CFG] <2> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

Dec 16 17:17:23 05[LIB] <2> size of DH secret exponent: 1023 bits

Dec 16 17:17:23 05[CFG] <2> looking for pre-shared key peer configs matching 192.168.0.132...192.168.0.124[123]

Dec 16 17:17:23 05[CFG] <2> peer config match local: 1 (ID_ANY)

Dec 16 17:17:23 05[CFG] <2> peer config match remote: 20 (ID_KEY_ID -> 31:32:33)

Dec 16 17:17:23 05[CFG] <2> ike config match: 3100 (192.168.0.132 192.168.0.124 IKEv1)

Dec 16 17:17:23 05[CFG] <2>   candidate "net-net", match: 1/20/3100 (me/other/ike)

Dec 16 17:17:23 05[CFG] <2> selected peer config "net-net"

Dec 16 17:17:23 05[IKE] <net-net|2> sending XAuth vendor ID

Dec 16 17:17:23 05[IKE] <net-net|2> sending DPD vendor ID

Dec 16 17:17:23 05[IKE] <net-net|2> sending NAT-T (RFC 3947) vendor ID

Dec 16 17:17:23 05[ENC] <net-net|2> generating AGGRESSIVE response 0 [ SA KE No ID V V V NAT-D NAT-D HASH ]

Dec 16 17:17:23 05[NET] <net-net|2> sending packet: from 192.168.0.132[500] to 192.168.0.124[500] (383 bytes)

Dec 16 17:17:23 05[MGR] <net-net|2> checkin IKE_SA net-net[2]

Dec 16 17:17:23 05[MGR] <net-net|2> check-in of IKE_SA successful.

Dec 16 17:17:23 04[NET] sending packet: from 192.168.0.132[500] to 192.168.0.124[500]

Dec 16 17:17:23 01[JOB] next event in 3s 999ms, waiting

Dec 16 17:17:23 03[NET] received packet: from 192.168.0.124[500] to 192.168.0.132[500]

Dec 16 17:17:23 03[NET] waiting for data on sockets

Dec 16 17:17:23 06[MGR] checkout IKE_SA by message

Dec 16 17:17:23 06[MGR] IKE_SA net-net[2] successfully checked out

Dec 16 17:17:23 06[NET] <net-net|2> received packet: from 192.168.0.124[500] to 192.168.0.132[500] (100 bytes)

Dec 16 17:17:23 06[ENC] <net-net|2> parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]

Dec 16 17:17:23 06[IKE] <net-net|2> IKE_SA net-net[2] established between 192.168.0.132[123]...192.168.0.124[123]

Dec 16 17:17:23 06[IKE] <net-net|2> IKE_SA net-net[2] state change: CONNECTING => ESTABLISHED

Dec 16 17:17:23 06[IKE] <net-net|2> scheduling reauthentication in 3362s

Dec 16 17:17:23 06[IKE] <net-net|2> maximum IKE_SA lifetime 3542s

Dec 16 17:17:23 06[MGR] <net-net|2> checkin IKE_SA net-net[2]

Dec 16 17:17:23 06[MGR] <net-net|2> check-in of IKE_SA successful.

Dec 16 17:17:23 06[MGR] checkout IKE_SA

Dec 16 17:17:23 06[MGR] IKE_SA net-net[2] successfully checked out

Dec 16 17:17:23 06[MGR] <net-net|2> checkin IKE_SA net-net[2]

Dec 16 17:17:23 06[MGR] <net-net|2> check-in of IKE_SA successful.

Dec 16 17:17:23 01[JOB] next event in 3s 961ms, waiting

Dec 16 17:17:23 03[NET] received packet: from 192.168.0.124[500] to 192.168.0.132[500]

Dec 16 17:17:23 03[NET] waiting for data on sockets

Dec 16 17:17:23 06[MGR] checkout IKE_SA by message

Dec 16 17:17:23 06[MGR] IKE_SA net-net[2] successfully checked out

Dec 16 17:17:23 06[NET] <net-net|2> received packet: from 192.168.0.124[500] to 192.168.0.132[500] (92 bytes)

Dec 16 17:17:23 06[ENC] <net-net|2> parsed INFORMATIONAL_V1 request 3798126470 [ HASH N(INITIAL_CONTACT) ]

Dec 16 17:17:23 06[MGR] <net-net|2> checkin IKE_SA net-net[2]

Dec 16 17:17:23 06[MGR] <net-net|2> check-in of IKE_SA successful.

Dec 16 17:17:24 03[NET] received packet: from 192.168.0.124[500] to 192.168.0.132[500]

Dec 16 17:17:24 03[NET] waiting for data on sockets

Dec 16 17:17:24 05[MGR] checkout IKE_SA by message

Dec 16 17:17:24 05[MGR] IKE_SA net-net[2] successfully checked out

Dec 16 17:17:24 05[NET] <net-net|2> received packet: from 192.168.0.124[500] to 192.168.0.132[500] (340 bytes)

Dec 16 17:17:24 05[ENC] <net-net|2> parsed QUICK_MODE request 3151986099 [ HASH SA No ID ID ]

Dec 16 17:17:24 05[CFG] <net-net|2> looking for a child config for 192.168.0.132/32[udp/l2tp] === 192.168.0.124/32[udp] 

Dec 16 17:17:24 05[CFG] <net-net|2> proposing traffic selectors for us:

Dec 16 17:17:24 05[CFG] <net-net|2>  0.0.0.0/0

Dec 16 17:17:24 05[CFG] <net-net|2> proposing traffic selectors for other:

Dec 16 17:17:24 05[CFG] <net-net|2>  0.0.0.0/0

Dec 16 17:17:24 05[CFG] <net-net|2>   candidate "net-net" with prio 1+1

Dec 16 17:17:24 05[CFG] <net-net|2> found matching child config "net-net" with prio 2

Dec 16 17:17:24 05[CFG] <net-net|2> selecting traffic selectors for other:

Dec 16 17:17:24 05[CFG] <net-net|2>  config: 0.0.0.0/0, received: 192.168.0.124/32[udp] => match: 192.168.0.124/32[udp]

Dec 16 17:17:24 05[CFG] <net-net|2> selecting traffic selectors for us:

Dec 16 17:17:24 05[CFG] <net-net|2>  config: 0.0.0.0/0, received: 192.168.0.132/32[udp/l2tp] => match: 192.168.0.132/32[udp/l2tp]

Dec 16 17:17:24 05[CFG] <net-net|2> selecting proposal:

Dec 16 17:17:24 05[CFG] <net-net|2>   no acceptable ENCRYPTION_ALGORITHM found

Dec 16 17:17:24 05[CFG] <net-net|2> selecting proposal:

Dec 16 17:17:24 05[CFG] <net-net|2>   no acceptable ENCRYPTION_ALGORITHM found

Dec 16 17:17:24 05[CFG] <net-net|2> selecting proposal:

Dec 16 17:17:24 05[CFG] <net-net|2>   no acceptable ENCRYPTION_ALGORITHM found

Dec 16 17:17:24 05[CFG] <net-net|2> selecting proposal:

Dec 16 17:17:24 05[CFG] <net-net|2>   no acceptable ENCRYPTION_ALGORITHM found

Dec 16 17:17:24 05[CFG] <net-net|2> selecting proposal:

Dec 16 17:17:24 05[CFG] <net-net|2>   proposal matches

Dec 16 17:17:24 05[CFG] <net-net|2> received proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ

Dec 16 17:17:24 05[CFG] <net-net|2> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ

Dec 16 17:17:24 05[CFG] <net-net|2> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ

Dec 16 17:17:24 05[IKE] <net-net|2> received 28800s lifetime, configured 1200s

Dec 16 17:17:24 05[KNL] <net-net|2> got SPI c05d1053

Dec 16 17:17:24 05[ENC] <net-net|2> generating QUICK_MODE response 3151986099 [ HASH SA No ID ID ]

Dec 16 17:17:24 05[NET] <net-net|2> sending packet: from 192.168.0.132[500] to 192.168.0.124[500] (172 bytes)

Dec 16 17:17:24 05[MGR] <net-net|2> checkin IKE_SA net-net[2]

Dec 16 17:17:24 05[MGR] <net-net|2> check-in of IKE_SA successful.

Dec 16 17:17:24 04[NET] sending packet: from 192.168.0.132[500] to 192.168.0.124[500]

Dec 16 17:17:24 01[JOB] next event in 2s 921ms, waiting

Dec 16 17:17:24 03[NET] received packet: from 192.168.0.124[500] to 192.168.0.132[500]

Dec 16 17:17:24 03[NET] waiting for data on sockets

Dec 16 17:17:24 06[MGR] checkout IKE_SA by message

Dec 16 17:17:24 06[MGR] IKE_SA net-net[2] successfully checked out

Dec 16 17:17:24 06[NET] <net-net|2> received packet: from 192.168.0.124[500] to 192.168.0.132[500] (68 bytes)

Dec 16 17:17:24 06[ENC] <net-net|2> parsed QUICK_MODE request 3151986099 [ HASH ]

Dec 16 17:17:24 06[CHD] <net-net|2>   using AES_CBC for encryption

Dec 16 17:17:24 06[CHD] <net-net|2>   using HMAC_SHA1_96 for integrity

Dec 16 17:17:24 06[CHD] <net-net|2> adding inbound ESP SA

Dec 16 17:17:24 06[CHD] <net-net|2>   SPI 0xc05d1053, src 192.168.0.124 dst 192.168.0.132

Dec 16 17:17:24 06[KNL] <net-net|2> adding SAD entry with SPI c05d1053 and reqid {1}  (mark 0/0x00000000)

Dec 16 17:17:24 06[KNL] <net-net|2>   using encryption algorithm AES_CBC with key size 128

Dec 16 17:17:24 06[KNL] <net-net|2>   using integrity algorithm HMAC_SHA1_96 with key size 160

Dec 16 17:17:24 06[KNL] <net-net|2>   using replay window of 32 packets

Dec 16 17:17:24 06[CHD] <net-net|2> adding outbound ESP SA

Dec 16 17:17:24 06[CHD] <net-net|2>   SPI 0x0451dfc2, src 192.168.0.132 dst 192.168.0.124

Dec 16 17:17:24 06[KNL] <net-net|2> adding SAD entry with SPI 0451dfc2 and reqid {1}  (mark 0/0x00000000)

Dec 16 17:17:24 06[KNL] <net-net|2>   using encryption algorithm AES_CBC with key size 128

Dec 16 17:17:24 06[KNL] <net-net|2>   using integrity algorithm HMAC_SHA1_96 with key size 160

Dec 16 17:17:24 06[KNL] <net-net|2>   using replay window of 32 packets

Dec 16 17:17:24 06[KNL] <net-net|2> adding policy 192.168.0.132/32[udp/l2tp] === 192.168.0.124/32[udp] out  (mark 0/0x00000000)

Dec 16 17:17:24 06[KNL] <net-net|2> adding policy 192.168.0.124/32[udp] === 192.168.0.132/32[udp/l2tp] in  (mark 0/0x00000000)

Dec 16 17:17:24 06[KNL] <net-net|2> policy 192.168.0.132/32[udp/l2tp] === 192.168.0.124/32[udp] out  (mark 0/0x00000000) already exists, increasing refcount

Dec 16 17:17:24 06[KNL] <net-net|2> updating policy 192.168.0.132/32[udp/l2tp] === 192.168.0.124/32[udp] out  (mark 0/0x00000000)

Dec 16 17:17:24 06[KNL] <net-net|2> policy 192.168.0.124/32[udp] === 192.168.0.132/32[udp/l2tp] in  (mark 0/0x00000000) already exists, increasing refcount

Dec 16 17:17:24 06[KNL] <net-net|2> updating policy 192.168.0.124/32[udp] === 192.168.0.132/32[udp/l2tp] in  (mark 0/0x00000000)

Dec 16 17:17:24 06[IKE] <net-net|2> CHILD_SA net-net{1} established with SPIs c05d1053_i 0451dfc2_o and TS 192.168.0.132/32[udp/l2tp] === 192.168.0.124/32[udp] 

Dec 16 17:17:24 06[KNL] <net-net|2> 192.168.0.132 is on interface eno16777736

Dec 16 17:17:24 06[MGR] <net-net|2> checkin IKE_SA net-net[2]

Dec 16 17:17:24 06[MGR] <net-net|2> check-in of IKE_SA successful.

[root@- strongswan.d]# 

[root@- strongswan.d]# ipsec statusall

Status of IKE charon daemon (weakSwan 5.3.3, Linux 3.4.44, x86_64):

  uptime: 71 seconds, since Dec 16 17:16:27 2015

  malloc: sbrk 2039808, mmap 0, used 1261712, free 778096

  worker threads: 1 of 6 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3

  loaded plugins: charon pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic unity

Listening IP addresses:

  192.168.0.132

  192.168.152.150

  192.168.152.132

  192.168.233.128

Connections:

     net-net:  192.168.0.132...192.168.0.124  IKEv1 Aggressive

     net-net:   local:  [123] uses pre-shared key authentication

     net-net:   remote: [123] uses pre-shared key authentication

     net-net:   child:  0.0.0.0/0 === 0.0.0.0/0 TRANSPORT

Security Associations (1 up, 0 connecting):

     net-net[2]: ESTABLISHED 14 seconds ago, 192.168.0.132[123]...192.168.0.124[123]

     net-net[2]: IKEv1 SPIs: 729e4d22569d0439_i 189a0d575784bdfc_r*, pre-shared key reauthentication in 55 minutes

     net-net[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

     net-net{1}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c05d1053_i 0451dfc2_o

     net-net{1}:  AES_CBC_128/HMAC_SHA1_96, 115 bytes_i (1 pkt, 13s ago), 0 bytes_o, rekeying in 14 minutes

     net-net{1}:   192.168.0.132/32[udp/l2tp] === 192.168.0.124/32[udp] 

No leaks detected, 1 suppressed by whitelist

[root@- strongswan.d]#