[Swan] ipsec auto --status output changes

David McCullough ucdevel at gmail.com
Fri Jun 21 02:22:42 EEST 2013 

Paul Wouters wrote the following:
> 
> Hi,
> 
> In Helsinki we talked about making it clearer what the ipsec auto
> --status output shows. Specifically, what I remember we wanted was:
> 
> - Display FIPS and SElinux mode
> - Display "config setup" options
> - Clearly separate "connections" from "states"
> 
> I've done that now. I also added the compile flags for some of our file
> paths (eg libexecdir, sbindir, libdir). Please let me know if you would
> like to see something different from the below example output. I'd rather
> break things once :)


I only care about that last half (runtime state) as a general rule and that
seems to have changed very little so looks fine to me :-)

Cheers,
Davidm

> 000 using kernel interface: netkey
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface br0/br0 76.10.157.69
> 000 interface br0/br0 76.10.157.69
> 000 interface br0:1/br0:1 10.0.0.137
> 000 interface br0:1/br0:1 10.0.0.137
> 000 interface virbr2/virbr2 192.168.7.1
> 000 interface virbr2/virbr2 192.168.7.1
> 000 interface swan13/swan13 192.1.3.253
> 000 interface swan13/swan13 192.1.3.253
> 000 interface virbr3/virbr3 192.168.200.1
> 000 interface virbr3/virbr3 192.168.200.1
> 000 interface swan03/swan03 192.0.3.127
> 000 interface swan03/swan03 192.0.3.127
> 000 interface swan02/swan02 192.0.2.127
> 000 interface swan02/swan02 192.0.2.127
> 000 interface swan14/swan14 192.1.4.253
> 000 interface swan14/swan14 192.1.4.253
> 000 interface virbr1/virbr1 192.168.222.1
> 000 interface virbr1/virbr1 192.168.222.1
> 000 interface virbr0/virbr0 192.168.122.1
> 000 interface virbr0/virbr0 192.168.122.1
> 000 interface swan12/swan12 192.1.2.253
> 000 interface swan12/swan12 192.1.2.253
> 000 interface virbr5/virbr5 192.168.223.1
> 000 interface virbr5/virbr5 192.168.223.1
> 000 interface swan01/swan01 192.0.1.127
> 000 interface swan01/swan01 192.0.1.127
> 000 interface swan92/swan92 192.9.2.253
> 000 interface swan92/swan92 192.9.2.253
> 000 interface virbr4/virbr4 192.168.210.1
> 000 interface virbr4/virbr4 192.168.210.1
> 000 interface swan94/swan94 192.9.4.253
> 000 interface swan94/swan94 192.9.4.253
> 000 000 FIPS=no
> 000 SElinux=disabled
> 000 000 config setup options:
> 000 000 configdir=/etc, configfile=/etc/ipsec.conf,
> secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d,
> dumpdir=/var/run/pluto
> 000 sbindir=/usr/local/sbin, libdir=/usr/local/libexec/ipsec, libexecdir=/usr/local/libexec/ipsec
> 000 nhelpers=-1, uniqueids=yes, retransmits=yes, force_busy=no
> 000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>
> 000 secctx_attr_value=0
> 000 %myid = (none)
> 000 debug raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
> 000 000 nat_traversal=yes, keep_alive=20, nat_ikeport=4500,
> disable_port_floating=no
> 000 virtual_private (%priv):
> 000 - allowed 5 subnets: 10.0.0.0/8, 192.168.0.0/16, 25.0.0.0/8, fd00::/8, fe80::/10
> 000 - disallowed 1 subnet: 172.16.0.0/12
> 000 000 ESP algorithms supported:
> 000 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
> keysizemin=64, keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
> 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
> 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
> 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
> 000 000 IKE algorithms supported:
> 000 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
> keydeflen=131
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
> 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
> 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,5,64}
> trans={0,5,3072} attrs={0,5,2048} 000 000 000 Connection status:
> 000 000 "redhat": 10.10.57.180/32===76.10.157.69[@RH-standard,+MC+XC+S=C]---76.10.157.65...66.187.233.55<66.187.233.55>[MS+XS+S=C]===0.0.0.0/0;
> erouted; eroute owner: #4
> 000 "redhat":     oriented; my_ip=10.10.57.180; their_ip=unset;
> 000 "redhat":   xauth info: us:client, them:server,  my_xauthuser=pwouters; their_xauthuser=[any]; ;
> 000 "redhat":   modecfg info: us:client, them:server, modecfg policy:push, dns1:unset, dns2:unset;
> 000 "redhat":   labeled_ipsec:no, loopback:no; 000 "redhat":
> policy_label:unset; 000 "redhat": 10.10.57.180/32===76.10.157.69[@,+MC+XC+S=C]---76.10.157.65...66.187.233.55[MS+XS+S=C]===10.0.0.0/8;
> erouted; eroute owner: #4
> 000 "redhat":     oriented; my_ip=10.10.57.180; their_ip=unset;
> 000 "redhat":   xauth info: us:client, them:server,  my_xauthuser=pwouters; their_xauthuser=[any]; ;
> 000 "redhat":   modecfg info: us:client, them:server, modecfg policy:push, dns1:unset, dns2:unset;
> 000 "redhat":   labeled_ipsec:no, loopback:no; 000 "redhat":
> policy_label:unset; 000 "redhat":   ike_life: 86400s; ipsec_life:
> 86400s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
> sha2_truncbug:yes; initial_contact:yes;
> 000 "redhat":   policy: PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+UP+XAUTH+AGGRESSIVE+IKEv2ALLOW+IKE_FRAG;
> 000 "redhat":   prio: 32,32; interface: br0; metric: 0, mtu: unset;
> 000 "redhat":   dpd: action:hold; delay:30; timeout:60; nat-t: force_encaps:yes; nat_keepalive:yes;
> 000 "redhat":   newest ISAKMP SA: #3; newest IPsec SA: #4; 000
> "redhat":   IKE algorithms wanted:
> AES_CBC(7)_000-SHA1(2)_000-MODP1536(5),
> AES_CBC(7)_000-SHA1(2)_000-MODP1024(2)
> 000 "redhat":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1536(5)AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
> 000 "redhat":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1536
> 000 "redhat":   ESP algorithms wanted: AES(12)_000-SHA1(2)_000; pfsgroup=MODP1024(2)
> 000 "redhat":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
> 000 "redhat":   ESP algorithm newest: AES_256-HMAC_SHA1; pfsgroup=MODP1024
> 000 000 Total IPsec connections: loaded 1, active 1
> 000 000 000 State Status:
> 000 000 #4: "redhat":4500 STATE_QUICK_I2 (sent QI2, IPsec SA
> established); EVENT_SA_REPLACE_IF_USED in 85370s; newest IPSEC;
> eroute owner; isakmp#3; idle; import:admin initiate
> 000 #4: "redhat" esp.311867fd at 66.187.233.55 esp.c03c612d at 76.10.157.69 tun.0 at 66.187.233.55 tun.0 at 76.10.157.69 ref=0 refhim=4294901761 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B XAUTHuser=pwouters
> 000 #3: "redhat":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_EXPIRE in 86332s; newest ISAKMP; lastdpd=8s(seq in:32405 out:0); idle; import:admin initiate
> 000 000 Shunt Status:
> 000
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

-- 
David McCullough,  ucdevel at gmail.com,   Ph: 0410 560 763

More information about the Swan mailing list