[Swan] ipsec auto --status output changes
Paul Wouters
paul at nohats.ca
Fri Jun 21 01:19:50 EEST 2013
Hi,
In Helsinki we talked about making it clearer what the ipsec auto
--status output shows. Specifically, what I remember we wanted was:
- Display FIPS and SElinux mode
- Display "config setup" options
- Clearly separate "connections" from "states"
I've done that now. I also added the compile flags for some of our file
paths (eg libexecdir, sbindir, libdir). Please let me know if you would
like to see something different from the below example output. I'd rather
break things once :)
Paul
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface br0/br0 76.10.157.69
000 interface br0/br0 76.10.157.69
000 interface br0:1/br0:1 10.0.0.137
000 interface br0:1/br0:1 10.0.0.137
000 interface virbr2/virbr2 192.168.7.1
000 interface virbr2/virbr2 192.168.7.1
000 interface swan13/swan13 192.1.3.253
000 interface swan13/swan13 192.1.3.253
000 interface virbr3/virbr3 192.168.200.1
000 interface virbr3/virbr3 192.168.200.1
000 interface swan03/swan03 192.0.3.127
000 interface swan03/swan03 192.0.3.127
000 interface swan02/swan02 192.0.2.127
000 interface swan02/swan02 192.0.2.127
000 interface swan14/swan14 192.1.4.253
000 interface swan14/swan14 192.1.4.253
000 interface virbr1/virbr1 192.168.222.1
000 interface virbr1/virbr1 192.168.222.1
000 interface virbr0/virbr0 192.168.122.1
000 interface virbr0/virbr0 192.168.122.1
000 interface swan12/swan12 192.1.2.253
000 interface swan12/swan12 192.1.2.253
000 interface virbr5/virbr5 192.168.223.1
000 interface virbr5/virbr5 192.168.223.1
000 interface swan01/swan01 192.0.1.127
000 interface swan01/swan01 192.0.1.127
000 interface swan92/swan92 192.9.2.253
000 interface swan92/swan92 192.9.2.253
000 interface virbr4/virbr4 192.168.210.1
000 interface virbr4/virbr4 192.168.210.1
000 interface swan94/swan94 192.9.4.253
000 interface swan94/swan94 192.9.4.253
000
000 FIPS=no
000 SElinux=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto
000 sbindir=/usr/local/sbin, libdir=/usr/local/libexec/ipsec, libexecdir=/usr/local/libexec/ipsec
000 nhelpers=-1, uniqueids=yes, retransmits=yes, force_busy=no
000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>
000 secctx_attr_value=0
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
000
000 nat_traversal=yes, keep_alive=20, nat_ikeport=4500, disable_port_floating=no
000 virtual_private (%priv):
000 - allowed 5 subnets: 10.0.0.0/8, 192.168.0.0/16, 25.0.0.0/8, fd00::/8, fe80::/10
000 - disallowed 1 subnet: 172.16.0.0/12
000
000 ESP algorithms supported:
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,5,64} trans={0,5,3072} attrs={0,5,2048}
000
000
000 Connection status:
000
000 "redhat": 10.10.57.180/32===76.10.157.69[@RH-standard,+MC+XC+S=C]---76.10.157.65...66.187.233.55<66.187.233.55>[MS+XS+S=C]===0.0.0.0/0; erouted; eroute owner: #4
000 "redhat": oriented; my_ip=10.10.57.180; their_ip=unset;
000 "redhat": xauth info: us:client, them:server, my_xauthuser=pwouters; their_xauthuser=[any]; ;
000 "redhat": modecfg info: us:client, them:server, modecfg policy:push, dns1:unset, dns2:unset;
000 "redhat": labeled_ipsec:no, loopback:no;
000 "redhat": policy_label:unset;
000 "redhat": 10.10.57.180/32===76.10.157.69[@,+MC+XC+S=C]---76.10.157.65...66.187.233.55[MS+XS+S=C]===10.0.0.0/8; erouted; eroute owner: #4
000 "redhat": oriented; my_ip=10.10.57.180; their_ip=unset;
000 "redhat": xauth info: us:client, them:server, my_xauthuser=pwouters; their_xauthuser=[any]; ;
000 "redhat": modecfg info: us:client, them:server, modecfg policy:push, dns1:unset, dns2:unset;
000 "redhat": labeled_ipsec:no, loopback:no;
000 "redhat": policy_label:unset;
000 "redhat": ike_life: 86400s; ipsec_life: 86400s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; sha2_truncbug:yes; initial_contact:yes;
000 "redhat": policy: PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+UP+XAUTH+AGGRESSIVE+IKEv2ALLOW+IKE_FRAG;
000 "redhat": prio: 32,32; interface: br0; metric: 0, mtu: unset;
000 "redhat": dpd: action:hold; delay:30; timeout:60; nat-t: force_encaps:yes; nat_keepalive:yes;
000 "redhat": newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "redhat": IKE algorithms wanted: AES_CBC(7)_000-SHA1(2)_000-MODP1536(5), AES_CBC(7)_000-SHA1(2)_000-MODP1024(2)
000 "redhat": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1536(5)AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "redhat": IKE algorithm newest: AES_CBC_128-SHA1-MODP1536
000 "redhat": ESP algorithms wanted: AES(12)_000-SHA1(2)_000; pfsgroup=MODP1024(2)
000 "redhat": ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000 "redhat": ESP algorithm newest: AES_256-HMAC_SHA1; pfsgroup=MODP1024
000
000 Total IPsec connections: loaded 1, active 1
000
000
000 State Status:
000
000 #4: "redhat":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 85370s; newest IPSEC; eroute owner; isakmp#3; idle; import:admin initiate
000 #4: "redhat" esp.311867fd at 66.187.233.55 esp.c03c612d at 76.10.157.69 tun.0 at 66.187.233.55 tun.0 at 76.10.157.69 ref=0 refhim=4294901761 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B XAUTHuser=pwouters
000 #3: "redhat":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_EXPIRE in 86332s; newest ISAKMP; lastdpd=8s(seq in:32405 out:0); idle; import:admin initiate
000
000 Shunt Status:
000
More information about the Swan
mailing list