[Swan] net-to-net for road warriors
Alex
mysqlstudent at gmail.com
Fri Jan 25 21:10:58 UTC 2019
Hi,
> left is the leftside of your paper diagram. Right is the rightside of
> your paper diagram. If you flip the paper, left becomes right, right
> becomes left. So in theory, you can use the identical configuration on
> both sides, and pluto will figure out if it is "left" or "right" on
> each server with that identical configuration. BUT.... in your case,
> remember you cannot re-use the identical configuration because you
> cannot use "%any" on both sides. Still, for each server, you can
> pick arbitrarilly what is left or what is right, according to your
> paper diagram.
The dynamic IP does have a hostname that travels with any IP change
(courtesy of freedns.afraid.org), so this should mean I can use left
to mean local (orion) and right to mean remote (wyckoff) on both
sides, keeping the names the same on both sides, correct?
> > 003 "host-to-host" #1: Failed to find our RSA key
> >
> > Is there debugging I can add to help determine why this is happening again?
>
> If you are using rightrsasigkey= and leftrsasigkey= on keys properly
> generated inside the current NSS database with "ipsec newhostkey" then
> it should just work. I've talked a lot on the list in the past about
> failures to generate keys, move NSS files etc, so I won't repeat myself
It turns out the last three days that were spent making this work, and
likely the problem I was having back in October, was all due to this
bug you identified involving using --output to help it find its keys.
Now that I'm able to reliably build tunnels, I feel like now I can
actually work on how best to configure it.
The tunnel is built, but I cannot reach either side from the other. I
can ping wyckoff from orion but not vice-versa, and I cannot reach any
of the internal networks from either endpoint. I'd like to be able to
reach each endpoint from the other, as well as the private networks
from the alternate endpoints.
Now that we've established it's really just a site-to-site VPN, it
seems the config would be very simple, but it's not working right. Can
I ask you to again review my config to identify what I'm missing?
conn wyckofftun
# VPN gateway with static IP (local)
left=orion.example.com
leftsubnets={192.168.1.0/24,68.195.193.40/29}
leftid=@orion
leftrsasigkey=0sAwEAAdAb4rdETczxNrLeBnheg2i...
# dynamic IP (remote office)
right=wyckoff.crabdance.com
rightsubnets={192.168.11.0/24,192.168.10.0/24}
rightrsasigkey=0sAwEAAdH7/d2i5iDV10K4ex1bc3fOg7JOS0M...
rightid=@wyckoff
auto=start
rekey=no
I'm not sure what other info I can provide. Here is ipsec barf:
https://drive.google.com/file/d/1Z2rC48dF_MoJ7YgRA4ugAnkBTP8nAvTe/view?usp=sharing
ipsec status from orion:
000 using kernel interface: netkey
000 interface br0/br0 ::ec4:7aff:fea9:18de at 500
000 interface lo/lo ::1 at 500
000 interface lo/lo 127.0.0.1 at 4500
000 interface lo/lo 127.0.0.1 at 500
000 interface eth1/eth1 192.168.1.1 at 4500
000 interface eth1/eth1 192.168.1.1 at 500
000 interface eth1:2/eth1:2 192.168.6.1 at 4500
000 interface eth1:2/eth1:2 192.168.6.1 at 500
000 interface eth1:0/eth1:0 192.168.1.2 at 4500
000 interface eth1:0/eth1:0 192.168.1.2 at 500
000 interface eth1:1/eth1:1 192.168.1.100 at 4500
000 interface eth1:1/eth1:1 192.168.1.100 at 500
000 interface eth1:3/eth1:3 192.168.1.101 at 4500
000 interface eth1:3/eth1:3 192.168.1.101 at 500
000 interface br0/br0 68.195.193.42 at 4500
000 interface br0/br0 68.195.193.42 at 500
000 interface br0:0/br0:0 68.195.193.44 at 4500
000 interface br0:0/br0:0 68.195.193.44 at 500
000 interface virbr0/virbr0 192.168.122.1 at 4500
000 interface virbr0/virbr0 192.168.122.1 at 500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf,
secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted=<unset>
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=3.27, pluto_vendorid=OE-Libreswan-3.27
000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no,
logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no,
crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600,
ocsp-cache-max-age=86400, ocsp-method=get
000 secctx-attr-type=32001
000 debug:
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000
000 Kernel algorithms supported:
000
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256,
keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3,
v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC,
v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20,
v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19,
v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18,
v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13,
v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12,
v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC,
v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC,
v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH,
v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28,
v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH31, bits=256
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,4,64}
trans={0,4,3240} attrs={0,4,2160}
000
000 Connection list:
000
000 "wyckofftun/1x1":
192.168.1.0/24===68.195.193.42<orion.example.com>[@orion]...68.192.251.223<wyckoff.crabdance.com>[@wyckoff]===192.168.11.0/24;
erouted; eroute owner: #2
000 "wyckofftun/1x1": oriented; my_ip=unset; their_ip=unset;
my_updown=ipsec _updown;
000 "wyckofftun/1x1": xauth us:none, xauth them:none,
my_username=[any]; their_username=[any]
000 "wyckofftun/1x1": our auth:rsasig, their auth:rsasig
000 "wyckofftun/1x1": modecfg info: us:none, them:none, modecfg
policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "wyckofftun/1x1": labeled_ipsec:no;
000 "wyckofftun/1x1": policy_label:unset;
000 "wyckofftun/1x1": ike_life: 3600s; ipsec_life: 28800s;
replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries:
0;
000 "wyckofftun/1x1": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "wyckofftun/1x1": initial-contact:no; cisco-unity:no;
fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "wyckofftun/1x1": policy:
RSASIG+ENCRYPT+TUNNEL+PFS+DONT_REKEY+UP+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "wyckofftun/1x1": conn_prio: 24,24; interface: br0; metric: 0;
mtu: unset; sa_prio:auto; sa_tfc:none;
000 "wyckofftun/1x1": nflog-group: unset; mark: unset;
vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "wyckofftun/1x1": our idtype: ID_FQDN; our id=@orion; their
idtype: ID_FQDN; their id=@wyckoff
000 "wyckofftun/1x1": dpd: action:hold; delay:0; timeout:0; nat-t:
encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "wyckofftun/1x1": newest ISAKMP SA: #0; newest IPsec SA: #2;
000 "wyckofftun/1x1": aliases: wyckofftun
000 "wyckofftun/1x1": IKE algorithms:
AES_GCM_16_256-HMAC_SHA2_512-DH19, AES_GCM_16_256-HMAC_SHA2_256-DH19,
AES_CBC_256-HMAC_SHA2_512-DH19, AES_CBC_256-HMAC_SHA1-DH19,
AES_CBC_128-HMAC_SHA2_256-DH19, AES_CBC_128-HMAC_SHA1-DH19,
AES_GCM_16_256-HMAC_SHA2_512-DH20, AES_GCM_16_256-HMAC_SHA2_256-DH20,
AES_CBC_256-HMAC_SHA2_512-DH20, AES_CBC_256-HMAC_SHA1-DH20,
AES_CBC_128-HMAC_SHA2_256-DH20, AES_CBC_128-HMAC_SHA1-DH20,
AES_GCM_16_256-HMAC_SHA2_512-DH21, AES_GCM_16_256-HMAC_SHA2_256-DH21,
AES_CBC_256-HMAC_SHA2_512-DH21, AES_CBC_256-HMAC_SHA1-DH21,
AES_CBC_128-HMAC_SHA2_256-DH21, AES_CBC_128-HMAC_SHA1-DH21,
AES_GCM_16_256-HMAC_SHA2_512-MODP2048,
AES_GCM_16_256-HMAC_SHA2_256-MODP2048,
AES_CBC_256-HMAC_SHA2_512-MODP2048, AES_CBC_256-HMAC_SHA1-MODP2048,
AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA1-MODP2048,
AES_GCM_16_256-HMAC_SHA2_512-MODP3072,
AES_GCM_16_256-HMAC_SHA2_256-MODP3072,
AES_CBC_256-HMAC_SHA2_512-MODP3072, AES_CBC_256-HMAC_SHA1-MODP3072,
AES_CBC_128-HMAC_SHA2_256-MODP3072, AES_CBC_128-H...
000 "wyckofftun/1x1": ESP algorithms: AES_GCM_16_256-NONE,
AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_256-HMAC_SHA1_96,
AES_CBC_128-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA2_256_128
000 "wyckofftun/1x1": ESP algorithm newest: AES_GCM_16_256-NONE;
pfsgroup=<Phase1>
000 "wyckofftun/1x2":
192.168.1.0/24===68.195.193.42<orion.example.com>[@orion]...68.192.251.223<wyckoff.crabdance.com>[@wyckoff]===192.168.10.0/24;
erouted; eroute owner: #3
000 "wyckofftun/1x2": oriented; my_ip=unset; their_ip=unset;
my_updown=ipsec _updown;
000 "wyckofftun/1x2": xauth us:none, xauth them:none,
my_username=[any]; their_username=[any]
000 "wyckofftun/1x2": our auth:rsasig, their auth:rsasig
000 "wyckofftun/1x2": modecfg info: us:none, them:none, modecfg
policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "wyckofftun/1x2": labeled_ipsec:no;
000 "wyckofftun/1x2": policy_label:unset;
000 "wyckofftun/1x2": ike_life: 3600s; ipsec_life: 28800s;
replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries:
0;
000 "wyckofftun/1x2": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "wyckofftun/1x2": initial-contact:no; cisco-unity:no;
fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "wyckofftun/1x2": policy:
RSASIG+ENCRYPT+TUNNEL+PFS+DONT_REKEY+UP+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "wyckofftun/1x2": conn_prio: 24,24; interface: br0; metric: 0;
mtu: unset; sa_prio:auto; sa_tfc:none;
000 "wyckofftun/1x2": nflog-group: unset; mark: unset;
vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "wyckofftun/1x2": our idtype: ID_FQDN; our id=@orion; their
idtype: ID_FQDN; their id=@wyckoff
000 "wyckofftun/1x2": dpd: action:hold; delay:0; timeout:0; nat-t:
encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "wyckofftun/1x2": newest ISAKMP SA: #0; newest IPsec SA: #3;
000 "wyckofftun/1x2": aliases: wyckofftun
000 "wyckofftun/1x2": IKE algorithms:
AES_GCM_16_256-HMAC_SHA2_512-DH19, AES_GCM_16_256-HMAC_SHA2_256-DH19,
AES_CBC_256-HMAC_SHA2_512-DH19, AES_CBC_256-HMAC_SHA1-DH19,
AES_CBC_128-HMAC_SHA2_256-DH19, AES_CBC_128-HMAC_SHA1-DH19,
AES_GCM_16_256-HMAC_SHA2_512-DH20, AES_GCM_16_256-HMAC_SHA2_256-DH20,
AES_CBC_256-HMAC_SHA2_512-DH20, AES_CBC_256-HMAC_SHA1-DH20,
AES_CBC_128-HMAC_SHA2_256-DH20, AES_CBC_128-HMAC_SHA1-DH20,
AES_GCM_16_256-HMAC_SHA2_512-DH21, AES_GCM_16_256-HMAC_SHA2_256-DH21,
AES_CBC_256-HMAC_SHA2_512-DH21, AES_CBC_256-HMAC_SHA1-DH21,
AES_CBC_128-HMAC_SHA2_256-DH21, AES_CBC_128-HMAC_SHA1-DH21,
AES_GCM_16_256-HMAC_SHA2_512-MODP2048,
AES_GCM_16_256-HMAC_SHA2_256-MODP2048,
AES_CBC_256-HMAC_SHA2_512-MODP2048, AES_CBC_256-HMAC_SHA1-MODP2048,
AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA1-MODP2048,
AES_GCM_16_256-HMAC_SHA2_512-MODP3072,
AES_GCM_16_256-HMAC_SHA2_256-MODP3072,
AES_CBC_256-HMAC_SHA2_512-MODP3072, AES_CBC_256-HMAC_SHA1-MODP3072,
AES_CBC_128-HMAC_SHA2_256-MODP3072, AES_CBC_128-H...
000 "wyckofftun/1x2": ESP algorithms: AES_GCM_16_256-NONE,
AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_256-HMAC_SHA1_96,
AES_CBC_128-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA2_256_128
000 "wyckofftun/1x2": ESP algorithm newest: AES_GCM_16_256-NONE;
pfsgroup=<Phase1>
000 "wyckofftun/2x1":
68.195.193.40/29===68.195.193.42<orion.example.com>[@orion]...68.192.251.223<wyckoff.crabdance.com>[@wyckoff]===192.168.11.0/24;
erouted; eroute owner: #4
000 "wyckofftun/2x1": oriented; my_ip=unset; their_ip=unset;
my_updown=ipsec _updown;
000 "wyckofftun/2x1": xauth us:none, xauth them:none,
my_username=[any]; their_username=[any]
000 "wyckofftun/2x1": our auth:rsasig, their auth:rsasig
000 "wyckofftun/2x1": modecfg info: us:none, them:none, modecfg
policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "wyckofftun/2x1": labeled_ipsec:no;
000 "wyckofftun/2x1": policy_label:unset;
000 "wyckofftun/2x1": ike_life: 3600s; ipsec_life: 28800s;
replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries:
0;
000 "wyckofftun/2x1": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "wyckofftun/2x1": initial-contact:no; cisco-unity:no;
fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "wyckofftun/2x1": policy:
RSASIG+ENCRYPT+TUNNEL+PFS+DONT_REKEY+UP+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "wyckofftun/2x1": conn_prio: 29,24; interface: br0; metric: 0;
mtu: unset; sa_prio:auto; sa_tfc:none;
000 "wyckofftun/2x1": nflog-group: unset; mark: unset;
vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "wyckofftun/2x1": our idtype: ID_FQDN; our id=@orion; their
idtype: ID_FQDN; their id=@wyckoff
000 "wyckofftun/2x1": dpd: action:hold; delay:0; timeout:0; nat-t:
encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "wyckofftun/2x1": newest ISAKMP SA: #0; newest IPsec SA: #4;
000 "wyckofftun/2x1": aliases: wyckofftun
000 "wyckofftun/2x1": IKE algorithms:
AES_GCM_16_256-HMAC_SHA2_512-DH19, AES_GCM_16_256-HMAC_SHA2_256-DH19,
AES_CBC_256-HMAC_SHA2_512-DH19, AES_CBC_256-HMAC_SHA1-DH19,
AES_CBC_128-HMAC_SHA2_256-DH19, AES_CBC_128-HMAC_SHA1-DH19,
AES_GCM_16_256-HMAC_SHA2_512-DH20, AES_GCM_16_256-HMAC_SHA2_256-DH20,
AES_CBC_256-HMAC_SHA2_512-DH20, AES_CBC_256-HMAC_SHA1-DH20,
AES_CBC_128-HMAC_SHA2_256-DH20, AES_CBC_128-HMAC_SHA1-DH20,
AES_GCM_16_256-HMAC_SHA2_512-DH21, AES_GCM_16_256-HMAC_SHA2_256-DH21,
AES_CBC_256-HMAC_SHA2_512-DH21, AES_CBC_256-HMAC_SHA1-DH21,
AES_CBC_128-HMAC_SHA2_256-DH21, AES_CBC_128-HMAC_SHA1-DH21,
AES_GCM_16_256-HMAC_SHA2_512-MODP2048,
AES_GCM_16_256-HMAC_SHA2_256-MODP2048,
AES_CBC_256-HMAC_SHA2_512-MODP2048, AES_CBC_256-HMAC_SHA1-MODP2048,
AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA1-MODP2048,
AES_GCM_16_256-HMAC_SHA2_512-MODP3072,
AES_GCM_16_256-HMAC_SHA2_256-MODP3072,
AES_CBC_256-HMAC_SHA2_512-MODP3072, AES_CBC_256-HMAC_SHA1-MODP3072,
AES_CBC_128-HMAC_SHA2_256-MODP3072, AES_CBC_128-H...
000 "wyckofftun/2x1": ESP algorithms: AES_GCM_16_256-NONE,
AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_256-HMAC_SHA1_96,
AES_CBC_128-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA2_256_128
000 "wyckofftun/2x1": ESP algorithm newest: AES_GCM_16_256-NONE;
pfsgroup=<Phase1>
000 "wyckofftun/2x2":
68.195.193.40/29===68.195.193.42<orion.example.com>[@orion]...68.192.251.223<wyckoff.crabdance.com>[@wyckoff]===192.168.10.0/24;
erouted; eroute owner: #5
000 "wyckofftun/2x2": oriented; my_ip=unset; their_ip=unset;
my_updown=ipsec _updown;
000 "wyckofftun/2x2": xauth us:none, xauth them:none,
my_username=[any]; their_username=[any]
000 "wyckofftun/2x2": our auth:rsasig, their auth:rsasig
000 "wyckofftun/2x2": modecfg info: us:none, them:none, modecfg
policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "wyckofftun/2x2": labeled_ipsec:no;
000 "wyckofftun/2x2": policy_label:unset;
000 "wyckofftun/2x2": ike_life: 3600s; ipsec_life: 28800s;
replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries:
0;
000 "wyckofftun/2x2": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "wyckofftun/2x2": initial-contact:no; cisco-unity:no;
fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "wyckofftun/2x2": policy:
RSASIG+ENCRYPT+TUNNEL+PFS+DONT_REKEY+UP+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "wyckofftun/2x2": conn_prio: 29,24; interface: br0; metric: 0;
mtu: unset; sa_prio:auto; sa_tfc:none;
000 "wyckofftun/2x2": nflog-group: unset; mark: unset;
vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "wyckofftun/2x2": our idtype: ID_FQDN; our id=@orion; their
idtype: ID_FQDN; their id=@wyckoff
000 "wyckofftun/2x2": dpd: action:hold; delay:0; timeout:0; nat-t:
encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "wyckofftun/2x2": newest ISAKMP SA: #1; newest IPsec SA: #5;
000 "wyckofftun/2x2": aliases: wyckofftun
000 "wyckofftun/2x2": IKE algorithms:
AES_GCM_16_256-HMAC_SHA2_512-DH19, AES_GCM_16_256-HMAC_SHA2_256-DH19,
AES_CBC_256-HMAC_SHA2_512-DH19, AES_CBC_256-HMAC_SHA1-DH19,
AES_CBC_128-HMAC_SHA2_256-DH19, AES_CBC_128-HMAC_SHA1-DH19,
AES_GCM_16_256-HMAC_SHA2_512-DH20, AES_GCM_16_256-HMAC_SHA2_256-DH20,
AES_CBC_256-HMAC_SHA2_512-DH20, AES_CBC_256-HMAC_SHA1-DH20,
AES_CBC_128-HMAC_SHA2_256-DH20, AES_CBC_128-HMAC_SHA1-DH20,
AES_GCM_16_256-HMAC_SHA2_512-DH21, AES_GCM_16_256-HMAC_SHA2_256-DH21,
AES_CBC_256-HMAC_SHA2_512-DH21, AES_CBC_256-HMAC_SHA1-DH21,
AES_CBC_128-HMAC_SHA2_256-DH21, AES_CBC_128-HMAC_SHA1-DH21,
AES_GCM_16_256-HMAC_SHA2_512-MODP2048,
AES_GCM_16_256-HMAC_SHA2_256-MODP2048,
AES_CBC_256-HMAC_SHA2_512-MODP2048, AES_CBC_256-HMAC_SHA1-MODP2048,
AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA1-MODP2048,
AES_GCM_16_256-HMAC_SHA2_512-MODP3072,
AES_GCM_16_256-HMAC_SHA2_256-MODP3072,
AES_CBC_256-HMAC_SHA2_512-MODP3072, AES_CBC_256-HMAC_SHA1-MODP3072,
AES_CBC_128-HMAC_SHA2_256-MODP3072, AES_CBC_128-H...
000 "wyckofftun/2x2": IKEv2 algorithm newest:
AES_GCM_16_256-HMAC_SHA2_512-DH19
000 "wyckofftun/2x2": ESP algorithms: AES_GCM_16_256-NONE,
AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_256-HMAC_SHA1_96,
AES_CBC_128-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA2_256_128
000 "wyckofftun/2x2": ESP algorithm newest: AES_GCM_16_256-NONE;
pfsgroup=<Phase1>
000
000 Total IPsec connections: loaded 4, active 4
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(4), authenticated(4), anonymous(0)
000
000 #2: "wyckofftun/1x1":500 STATE_V2_IPSEC_I (IPsec SA established);
EVENT_SA_EXPIRE in 26736s; newest IPSEC; eroute owner; isakmp#1; idle;
000 #2: "wyckofftun/1x1" esp.76593989 at 68.192.251.223
esp.1c06d03e at 68.195.193.42 tun.0 at 68.192.251.223 tun.0 at 68.195.193.42
ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=0B
000 #3: "wyckofftun/1x2":500 STATE_V2_IPSEC_I (IPsec SA established);
EVENT_SA_EXPIRE in 27052s; newest IPSEC; eroute owner; isakmp#1; idle;
000 #3: "wyckofftun/1x2" esp.bcb067cf at 68.192.251.223
esp.cc152790 at 68.195.193.42 tun.0 at 68.192.251.223 tun.0 at 68.195.193.42
ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=0B
000 #4: "wyckofftun/2x1":500 STATE_V2_IPSEC_I (IPsec SA established);
EVENT_SA_EXPIRE in 26666s; newest IPSEC; eroute owner; isakmp#1; idle;
000 #4: "wyckofftun/2x1" esp.ff79eab9 at 68.192.251.223
esp.ffb71ead at 68.195.193.42 tun.0 at 68.192.251.223 tun.0 at 68.195.193.42
ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=0B
000 #1: "wyckofftun/2x2":500 STATE_PARENT_I3 (PARENT SA established);
EVENT_SA_EXPIRE in 1746s; newest ISAKMP; idle;
000 #5: "wyckofftun/2x2":500 STATE_V2_IPSEC_I (IPsec SA established);
EVENT_SA_EXPIRE in 26727s; newest IPSEC; eroute owner; isakmp#1; idle;
000 #5: "wyckofftun/2x2" esp.760e8c3d at 68.192.251.223
esp.ee1fe6e1 at 68.195.193.42 tun.0 at 68.192.251.223 tun.0 at 68.195.193.42
ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=0B
000
000 Bare Shunt list:
000
More information about the Swan
mailing list