<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Morning All,<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">We have a VPN connection that appears to be established to a third party with a successful connection, however we can’t seem to get any traffic flow to pass over the network.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Ipsec Verify passed ok:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Verifying installed system and configuration files<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Version check and ipsec on-path [OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Libreswan 3.23 (netkey) on 3.10.0-693.21.1.el7.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Checking for IPsec support in kernel [OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">NETKEY: Testing XFRM related proc values<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> ICMP default/send_redirects [OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> ICMP default/accept_redirects [OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> XFRM larval drop [OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Pluto ipsec.conf syntax [OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Two or more interfaces found, checking IP forwarding [OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Checking rp_filter [OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Checking that pluto is running [OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Pluto listening for IKE on udp 500 [OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Pluto listening for IKE/NAT-T on udp 4500 [OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Pluto ipsec.secret syntax [OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Checking 'ip' command [OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Checking 'iptables' command [OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Checking 'prelink' command does not interfere with FIPS [OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Checking for obsolete ipsec.conf options [OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">And the VPN seems to be established:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "ipsec-1": 192.168.142.132/32===51.148.60.157<51.148.60.157>---51.148.60.158...87.242.152.6<87.242.152.6>===10.0.22.3/32; erouted; eroute owner: #2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "ipsec-1": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "ipsec-1": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "ipsec-1": our auth:secret, their auth:secret<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "ipsec-1": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "ipsec-1": labeled_ipsec:no;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "ipsec-1": policy_label:unset;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "ipsec-1": ike_life: 86400s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "ipsec-1": retransmit-interval: 500ms; retransmit-timeout: 60s;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "ipsec-1": sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "ipsec-1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "ipsec-1": conn_prio: 32,32; interface: eno1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "ipsec-1": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "ipsec-1": our idtype: ID_IPV4_ADDR; our id=51.148.60.157; their idtype: ID_IPV4_ADDR; their id=87.242.152.6<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "ipsec-1": dpd: action:restart; delay:30; timeout:120; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "ipsec-1": newest ISAKMP SA: #1; newest IPsec SA: #2;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "ipsec-1": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-DH19<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "ipsec-1": IKEv2 algorithm newest: AES_CBC_256-HMAC_SHA2_256-DH19<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "ipsec-1": ESP algorithms: AES_CBC_256-HMAC_SHA2_256_128<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 "ipsec-1": ESP algorithm newest: AES_CBC_256-HMAC_SHA2_256_128; pfsgroup=<Phase1><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 Total IPsec connections: loaded 1, active 1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 State Information: DDoS cookies not required, Accepting new IKE connections<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 IPsec SAs: total(1), authenticated(1), anonymous(0)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 #1: "ipsec-1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 85992s; newest ISAKMP; idle; import:admin initiate<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 #2: "ipsec-1":500 STATE_V2_IPSEC_I (IPsec SA established); EVENT_SA_REPLACE in 28322s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">000 #2: "ipsec-1" esp.7cba7376@87.242.152.6 esp.f60e0a3a@51.148.60.157 tun.0@87.242.152.6 tun.0@51.148.60.157 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=0B<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Our config as follows:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">conn ipsec-1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> authby= secret<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> auto= start<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> type= tunnel<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> forceencaps= no<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> rekeymargin= 3m<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> keyingtries= %forever<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> salifetime= 8h<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> ikelifetime= 24h<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> ikev2= insist<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> #RTT<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> left= 51.148.60.157<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> leftsubnet= 192.168.142.132/32<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> leftid= 51.148.60.157<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> leftnexthop= 51.148.60.158<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> #SAA<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> right= 87.242.152.6<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> rightid= 87.242.152.6<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> rightsubnet= 10.0.22.3/32<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> #Key Settings<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> ike= aes256-sha2_256;dh19<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> phase2= esp<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> phase2alg= aes256-sha2_256<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> pfs= yes<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> sha2_truncbug= no<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> #Dead Peer Detection<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> dpdaction= restart<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> dpddelay= 30<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> dpdtimeout= 120<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Secrets file:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">51.148.60.157 87.242.152.6: PSK “######”<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">config setup<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # which IPsec stack to use, "netkey" (the default), "klips" or "mast".<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # For MacOSX use "bsd"<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> protostack=netkey<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> #<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # Normally, pluto logs via syslog. If you want to log to a file,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # specify below or to disable logging, eg for embedded systems, use<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # the file name /dev/null<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # Note: SElinux policies might prevent pluto writing to a log file at<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # an unusual location.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> #logfile=/var/log/pluto.log<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> #<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # Do not enable debug options to debug configuration issues!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> #<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # plutodebug "all", "none" or a combation from below:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # "raw crypt parsing emitting control controlmore kernel pfkey<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # natt x509 dpd dns oppo oppoinfo private".<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # Note: "private" is not included with "all", as it can show confidential<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # information. It must be specifically specified<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # examples:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # plutodebug="control parsing"<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # plutodebug="all crypt"<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # Again: only enable plutodebug when asked by a developer<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # plutodebug=all<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> #<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # Enable core dumps (might require system changes, like ulimit -C)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # This is required for abrtd to work properly<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # Note: SElinux policies might prevent pluto writing the core at<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # unusual locations<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> dumpdir=/var/run/pluto/<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> #<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # NAT-TRAVERSAL support<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # exclude networks used on server side by adding %v4:!a.b.c.0/24<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # It seems that T-Mobile in the US and Rogers/Fido in Canada are<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # using 25/8 as "private" address space on their wireless networks.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # This range has never been announced via BGP (at least up to 2015)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> #virtual_private=<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># For example connections, see your distribution's documentation directory,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># or https://libreswan.org/wiki/<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># There is also a lot of information in the manual page, "man ipsec.conf"<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># It is best to add your IPsec connections as separate files in /etc/ipsec.d/<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">include /etc/ipsec.d/*.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">For some reason the VPN establishes OK as far as I can see. We try from 192.168.142.132 to connect to a webservice on 10.0.22.3/32 but it times out, a TCPdump - tcpdump -i eno1 -nnvvv \(port 500 or port 4500 or proto
50\) - on interface 51.148.60.157 shows no esp or 4500 being sent as we attempt a request.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Does anyone have any ideas what can cause this? It like the Interesting traffic is not being detected correctly?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Cheers<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Joe<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
</body>
</html>