Last active
September 5, 2017 19:32
-
-
Save basvandijk/770d681efc493c2348b1838f6ff45761 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cat /etc/swanctl/swanctl.conf | |
| connections { | |
| alice { | |
| children { | |
| alice { | |
| remote_ts = 10.0.0.0/24 | |
| start_action = trap | |
| updown = /nix/store/jdcviy5z25xamq35g8k9qbdpskkx3w9g-strongswan-5.6.0/libexec/ipsec/_updown iptables | |
| } | |
| } | |
| local-main { | |
| auth = pubkey | |
| certs = aliceCert.der | |
| id = alice | |
| } | |
| remote-main { | |
| auth = pubkey | |
| id = moon | |
| } | |
| remote_addrs = moon | |
| vips = 0.0.0.0 | |
| } | |
| } | |
| $ swanctl -i --child alice | |
| [IKE] initiating IKE_SA alice[1] to 192.168.1.3 | |
| [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] | |
| [NET] sending packet: from 192.168.1.1[500] to 192.168.1.3[500] (642 bytes) | |
| [NET] received packet: from 192.168.1.3[500] to 192.168.1.1[500] (267 bytes) | |
| [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] | |
| [IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA" | |
| [IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" | |
| [IKE] authentication of 'alice' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful | |
| [IKE] sending end entity cert "C=CH, O=strongSwan, CN=alice" | |
| [IKE] establishing CHILD_SA alice{2} | |
| [ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] | |
| [ENC] splitting IKE message with length of 1440 bytes into 2 fragments | |
| [ENC] generating IKE_AUTH request 1 [ EF(1/2) ] | |
| [ENC] generating IKE_AUTH request 1 [ EF(2/2) ] | |
| [NET] sending packet: from 192.168.1.1[4500] to 192.168.1.3[4500] (1236 bytes) | |
| [NET] sending packet: from 192.168.1.1[4500] to 192.168.1.3[4500] (276 bytes) | |
| [NET] received packet: from 192.168.1.3[4500] to 192.168.1.1[4500] (1236 bytes) | |
| [ENC] parsed IKE_AUTH response 1 [ EF(1/2) ] | |
| [ENC] received fragment #1 of 2, waiting for complete IKE message | |
| [NET] received packet: from 192.168.1.3[4500] to 192.168.1.1[4500] (132 bytes) | |
| [ENC] parsed IKE_AUTH response 1 [ EF(2/2) ] | |
| [ENC] received fragment #2 of 2, reassembling fragmented IKE message | |
| [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] | |
| [IKE] received end entity cert "C=CH, O=strongSwan, CN=moon" | |
| [CFG] using certificate "C=CH, O=strongSwan, CN=moon" | |
| [CFG] using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan CA" | |
| [CFG] checking certificate status of "C=CH, O=strongSwan, CN=moon" | |
| [CFG] certificate status is not available | |
| [CFG] reached self-signed root ca with a path length of 0 | |
| [IKE] authentication of 'moon' with RSA_EMSA_PKCS1_SHA2_256 successful | |
| [IKE] IKE_SA alice[1] established between 192.168.1.1[alice]...192.168.1.3[moon] | |
| [IKE] scheduling rekeying in 13569s | |
| [IKE] maximum IKE_SA lifetime 15009s | |
| [IKE] installing new virtual IP 10.0.0.1 | |
| [IKE] CHILD_SA alice{2} established with SPIs c890d03e_i c8538487_o and TS 10.0.0.1/32 === 10.0.0.0/24 | |
| initiate completed successfully | |
| $ ip a | |
| 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 | |
| link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 | |
| inet 127.0.0.1/8 scope host lo | |
| valid_lft forever preferred_lft forever | |
| inet6 ::1/128 scope host | |
| valid_lft forever preferred_lft forever | |
| 2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 | |
| link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff | |
| 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 | |
| link/ether 52:54:00:12:01:01 brd ff:ff:ff:ff:ff:ff | |
| inet 192.168.1.1/24 scope global eth1 | |
| valid_lft forever preferred_lft forever | |
| inet 10.0.0.1/32 scope global eth1 | |
| valid_lft forever preferred_lft forever | |
| inet6 fe80::5054:ff:fe12:101/64 scope link | |
| valid_lft forever preferred_lft forever | |
| $ ip route | |
| 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1 | |
| $ ip route list table 220 | |
| 10.0.0.0/24 via 192.168.1.3 dev eth1 proto static src 192.168.1.1 | |
| $ ip -s xfrm policy | |
| src 10.0.0.1/32 dst 10.0.0.0/24 uid 0 | |
| dir out action allow index 89 priority 371327 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:06:22 use - | |
| tmpl src 192.168.1.1 dst 192.168.1.3 | |
| proto esp spi 0xc8538487(3360916615) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 10.0.0.0/24 dst 10.0.0.1/32 uid 0 | |
| dir fwd action allow index 106 priority 371327 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:06:22 use - | |
| tmpl src 192.168.1.3 dst 192.168.1.1 | |
| proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 10.0.0.0/24 dst 10.0.0.1/32 uid 0 | |
| dir in action allow index 96 priority 371327 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:06:22 use - | |
| tmpl src 192.168.1.3 dst 192.168.1.1 | |
| proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 192.168.1.1/32 dst 10.0.0.0/24 uid 0 | |
| dir out action allow index 81 priority 371328 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| tmpl src 192.168.1.1 dst 192.168.1.3 | |
| proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 10.0.0.0/24 dst 192.168.1.1/32 uid 0 | |
| dir fwd action allow index 74 priority 371328 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| tmpl src 192.168.1.3 dst 192.168.1.1 | |
| proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 10.0.0.0/24 dst 192.168.1.1/32 uid 0 | |
| dir in action allow index 64 priority 371328 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| tmpl src 192.168.1.3 dst 192.168.1.1 | |
| proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 | |
| socket in action allow index 59 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use 2017-09-05 19:06:22 | |
| src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 | |
| socket out action allow index 52 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use 2017-09-05 19:06:22 | |
| src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 | |
| socket in action allow index 43 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use 2017-09-05 19:06:22 | |
| src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 | |
| socket out action allow index 36 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use 2017-09-05 19:06:22 | |
| src ::/0 dst ::/0 uid 0 | |
| socket in action allow index 27 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| src ::/0 dst ::/0 uid 0 | |
| socket out action allow index 20 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| src ::/0 dst ::/0 uid 0 | |
| socket in action allow index 11 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| src ::/0 dst ::/0 uid 0 | |
| socket out action allow index 4 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| $ ip -s xfrm state | |
| src 10.0.0.1/32 dst 10.0.0.0/24 uid 0 | |
| dir out action allow index 89 priority 371327 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:06:22 use - | |
| tmpl src 192.168.1.1 dst 192.168.1.3 | |
| proto esp spi 0xc8538487(3360916615) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 10.0.0.0/24 dst 10.0.0.1/32 uid 0 | |
| dir fwd action allow index 106 priority 371327 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:06:22 use - | |
| tmpl src 192.168.1.3 dst 192.168.1.1 | |
| proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 10.0.0.0/24 dst 10.0.0.1/32 uid 0 | |
| dir in action allow index 96 priority 371327 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:06:22 use - | |
| tmpl src 192.168.1.3 dst 192.168.1.1 | |
| proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 192.168.1.1/32 dst 10.0.0.0/24 uid 0 | |
| dir out action allow index 81 priority 371328 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| tmpl src 192.168.1.1 dst 192.168.1.3 | |
| proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 10.0.0.0/24 dst 192.168.1.1/32 uid 0 | |
| dir fwd action allow index 74 priority 371328 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| tmpl src 192.168.1.3 dst 192.168.1.1 | |
| proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 10.0.0.0/24 dst 192.168.1.1/32 uid 0 | |
| dir in action allow index 64 priority 371328 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| tmpl src 192.168.1.3 dst 192.168.1.1 | |
| proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 | |
| socket in action allow index 59 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use 2017-09-05 19:06:22 | |
| src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 | |
| socket out action allow index 52 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use 2017-09-05 19:06:22 | |
| src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 | |
| socket in action allow index 43 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use 2017-09-05 19:06:22 | |
| src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 | |
| socket out action allow index 36 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use 2017-09-05 19:06:22 | |
| src ::/0 dst ::/0 uid 0 | |
| socket in action allow index 27 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| src ::/0 dst ::/0 uid 0 | |
| socket out action allow index 20 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| src ::/0 dst ::/0 uid 0 | |
| socket in action allow index 11 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| src ::/0 dst ::/0 uid 0 | |
| socket out action allow index 4 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| $ iptables -S | |
| -P INPUT ACCEPT | |
| -P FORWARD ACCEPT | |
| -P OUTPUT ACCEPT | |
| -A INPUT -s 10.0.0.0/24 -d 10.0.0.1/32 -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT | |
| -A FORWARD -s 10.0.0.0/24 -d 10.0.0.1/32 -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT | |
| -A FORWARD -s 10.0.0.1/32 -d 10.0.0.0/24 -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT | |
| -A OUTPUT -s 10.0.0.1/32 -d 10.0.0.0/24 -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT | |
| $ ping 10.0.0.2 | |
| PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. | |
| From 192.168.1.3 icmp_seq=1 Destination Net Unreachable | |
| From 192.168.1.3 icmp_seq=2 Destination Net Unreachable | |
| From 192.168.1.3 icmp_seq=3 Destination Net Unreachable | |
| From 192.168.1.3 icmp_seq=4 Destination Net Unreachable | |
| --- 10.0.0.2 ping statistics --- | |
| 5 packets transmitted, 0 received, +4 errors, 100% packet loss, time 4097ms | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cat /etc/swanctl/swanctl.conf | |
| connections { | |
| carol { | |
| children { | |
| carol { | |
| remote_ts = 10.0.0.0/24 | |
| start_action = trap | |
| updown = /nix/store/jdcviy5z25xamq35g8k9qbdpskkx3w9g-strongswan-5.6.0/libexec/ipsec/_updown iptables | |
| } | |
| } | |
| local-main { | |
| auth = pubkey | |
| certs = carolCert.der | |
| id = carol | |
| } | |
| remote-main { | |
| auth = pubkey | |
| id = moon | |
| } | |
| remote_addrs = moon | |
| vips = 0.0.0.0 | |
| } | |
| } | |
| $ swanctl -i --child carol | |
| [IKE] initiating IKE_SA carol[1] to 192.168.1.3 | |
| [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] | |
| [NET] sending packet: from 192.168.1.2[500] to 192.168.1.3[500] (642 bytes) | |
| [NET] received packet: from 192.168.1.3[500] to 192.168.1.2[500] (267 bytes) | |
| [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] | |
| [IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA" | |
| [IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" | |
| [IKE] authentication of 'carol' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful | |
| [IKE] sending end entity cert "C=CH, O=strongSwan, CN=carol" | |
| [IKE] establishing CHILD_SA carol{2} | |
| [ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] | |
| [ENC] splitting IKE message with length of 1440 bytes into 2 fragments | |
| [ENC] generating IKE_AUTH request 1 [ EF(1/2) ] | |
| [ENC] generating IKE_AUTH request 1 [ EF(2/2) ] | |
| [NET] sending packet: from 192.168.1.2[4500] to 192.168.1.3[4500] (1236 bytes) | |
| [NET] sending packet: from 192.168.1.2[4500] to 192.168.1.3[4500] (276 bytes) | |
| [NET] received packet: from 192.168.1.3[4500] to 192.168.1.2[4500] (1236 bytes) | |
| [ENC] parsed IKE_AUTH response 1 [ EF(1/2) ] | |
| [ENC] received fragment #1 of 2, waiting for complete IKE message | |
| [NET] received packet: from 192.168.1.3[4500] to 192.168.1.2[4500] (132 bytes) | |
| [ENC] parsed IKE_AUTH response 1 [ EF(2/2) ] | |
| [ENC] received fragment #2 of 2, reassembling fragmented IKE message | |
| [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] | |
| [IKE] received end entity cert "C=CH, O=strongSwan, CN=moon" | |
| [CFG] using certificate "C=CH, O=strongSwan, CN=moon" | |
| [CFG] using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan CA" | |
| [CFG] checking certificate status of "C=CH, O=strongSwan, CN=moon" | |
| [CFG] certificate status is not available | |
| [CFG] reached self-signed root ca with a path length of 0 | |
| [IKE] authentication of 'moon' with RSA_EMSA_PKCS1_SHA2_256 successful | |
| [IKE] IKE_SA carol[1] established between 192.168.1.2[carol]...192.168.1.3[moon] | |
| [IKE] scheduling rekeying in 13734s | |
| [IKE] maximum IKE_SA lifetime 15174s | |
| [IKE] installing new virtual IP 10.0.0.2 | |
| [IKE] CHILD_SA carol{2} established with SPIs cec507cf_i c81cedb0_o and TS 10.0.0.2/32 === 10.0.0.0/24 | |
| initiate completed successfully | |
| $ ip a | |
| 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 | |
| link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 | |
| inet 127.0.0.1/8 scope host lo | |
| valid_lft forever preferred_lft forever | |
| inet6 ::1/128 scope host | |
| valid_lft forever preferred_lft forever | |
| 2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 | |
| link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff | |
| 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 | |
| link/ether 52:54:00:12:01:02 brd ff:ff:ff:ff:ff:ff | |
| inet 192.168.1.2/24 scope global eth1 | |
| valid_lft forever preferred_lft forever | |
| inet 10.0.0.2/32 scope global eth1 | |
| valid_lft forever preferred_lft forever | |
| inet6 fe80::5054:ff:fe12:102/64 scope link | |
| valid_lft forever preferred_lft forever | |
| $ ip route | |
| 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 | |
| $ ip route list table 220 | |
| 10.0.0.0/24 via 192.168.1.3 dev eth1 proto static src 192.168.1.2 | |
| $ ip -s xfrm policy | |
| src 10.0.0.2/32 dst 10.0.0.0/24 uid 0 | |
| dir out action allow index 89 priority 371327 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:11:21 use - | |
| tmpl src 192.168.1.2 dst 192.168.1.3 | |
| proto esp spi 0xc81cedb0(3357339056) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 10.0.0.0/24 dst 10.0.0.2/32 uid 0 | |
| dir fwd action allow index 106 priority 371327 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:11:21 use - | |
| tmpl src 192.168.1.3 dst 192.168.1.2 | |
| proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 10.0.0.0/24 dst 10.0.0.2/32 uid 0 | |
| dir in action allow index 96 priority 371327 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:11:21 use - | |
| tmpl src 192.168.1.3 dst 192.168.1.2 | |
| proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 192.168.1.2/32 dst 10.0.0.0/24 uid 0 | |
| dir out action allow index 81 priority 371328 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| tmpl src 192.168.1.2 dst 192.168.1.3 | |
| proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 10.0.0.0/24 dst 192.168.1.2/32 uid 0 | |
| dir fwd action allow index 74 priority 371328 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| tmpl src 192.168.1.3 dst 192.168.1.2 | |
| proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 10.0.0.0/24 dst 192.168.1.2/32 uid 0 | |
| dir in action allow index 64 priority 371328 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| tmpl src 192.168.1.3 dst 192.168.1.2 | |
| proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 | |
| socket in action allow index 59 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use 2017-09-05 19:11:21 | |
| src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 | |
| socket out action allow index 52 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use 2017-09-05 19:11:21 | |
| src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 | |
| socket in action allow index 43 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use 2017-09-05 19:11:21 | |
| src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 | |
| socket out action allow index 36 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use 2017-09-05 19:11:21 | |
| src ::/0 dst ::/0 uid 0 | |
| socket in action allow index 27 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| src ::/0 dst ::/0 uid 0 | |
| socket out action allow index 20 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| src ::/0 dst ::/0 uid 0 | |
| socket in action allow index 11 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| src ::/0 dst ::/0 uid 0 | |
| socket out action allow index 4 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| $ ip -s xfrm state | |
| src 192.168.1.2 dst 192.168.1.3 | |
| proto esp spi 0xc81cedb0(3357339056) reqid 1(0x00000001) mode tunnel | |
| replay-window 0 seq 0x00000000 flag af-unspec (0x00100000) | |
| auth-trunc hmac(sha256) 0x05c98ea8705ed13c55c4fd650d314044b9a92bbe088c9af2fbbf007b03909e45 (256 bits) 128 | |
| enc cbc(aes) 0xac840a5ba1434f94d9ef1c6d5504351f (128 bits) | |
| anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 3442(sec), hard 3960(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:11:21 use - | |
| stats: | |
| replay-window 0 replay 0 failed 0 | |
| src 192.168.1.3 dst 192.168.1.2 | |
| proto esp spi 0xcec507cf(3469019087) reqid 1(0x00000001) mode tunnel | |
| replay-window 32 seq 0x00000000 flag af-unspec (0x00100000) | |
| auth-trunc hmac(sha256) 0x9dcc77ed0ad76d51c3237a55aa05e13064aa734347d557129aceea3bb2c15176 (256 bits) 128 | |
| enc cbc(aes) 0x4c15691d02392fd511b070c6ce9a090a (128 bits) | |
| anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 3566(sec), hard 3960(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:11:21 use - | |
| stats: | |
| replay-window 0 replay 0 failed 0 | |
| $ iptables -S | |
| -P INPUT ACCEPT | |
| -P FORWARD ACCEPT | |
| -P OUTPUT ACCEPT | |
| -A INPUT -s 10.0.0.0/24 -d 10.0.0.2/32 -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT | |
| -A FORWARD -s 10.0.0.0/24 -d 10.0.0.2/32 -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT | |
| -A FORWARD -s 10.0.0.2/32 -d 10.0.0.0/24 -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT | |
| -A OUTPUT -s 10.0.0.2/32 -d 10.0.0.0/24 -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT | |
| $ ping 10.0.0.1 | |
| PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. | |
| From 192.168.1.3 icmp_seq=1 Destination Net Unreachable | |
| From 192.168.1.3 icmp_seq=2 Destination Net Unreachable | |
| From 192.168.1.3 icmp_seq=3 Destination Net Unreachable | |
| From 192.168.1.3 icmp_seq=4 Destination Net Unreachable | |
| --- 10.0.0.1 ping statistics --- | |
| 4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3090ms | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cat /etc/swanctl/swanctl.conf | |
| connections { | |
| alice { | |
| children { | |
| alice { | |
| local_ts = 10.0.0.0/24 | |
| updown = /nix/store/jdcviy5z25xamq35g8k9qbdpskkx3w9g-strongswan-5.6.0/libexec/ipsec/_updown iptables | |
| } | |
| } | |
| local-main { | |
| auth = pubkey | |
| certs = moonCert.der | |
| id = moon | |
| } | |
| pools = alice | |
| remote-main { | |
| auth = pubkey | |
| id = alice | |
| } | |
| } | |
| carol { | |
| children { | |
| carol { | |
| local_ts = 10.0.0.0/24 | |
| updown = /nix/store/jdcviy5z25xamq35g8k9qbdpskkx3w9g-strongswan-5.6.0/libexec/ipsec/_updown iptables | |
| } | |
| } | |
| local-main { | |
| auth = pubkey | |
| certs = moonCert.der | |
| id = moon | |
| } | |
| pools = carol | |
| remote-main { | |
| auth = pubkey | |
| id = carol | |
| } | |
| } | |
| } | |
| pools { | |
| alice { | |
| addrs = 10.0.0.1 | |
| } | |
| carol { | |
| addrs = 10.0.0.2 | |
| } | |
| } | |
| $ swanctl -l | |
| carol: #2, ESTABLISHED, IKEv2, 62b3f477df9fa246_i f29f15a68d9a2e37_r* | |
| local 'moon' @ 192.168.1.3[4500] | |
| remote 'carol' @ 192.168.1.2[4500] [10.0.0.2] | |
| AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519 | |
| established 152s ago, rekeying in 13452s | |
| carol: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA2_256_128 | |
| installed 152s ago, rekeying in 3230s, expires in 3808s | |
| in c81cedb0, 0 bytes, 0 packets | |
| out cec507cf, 0 bytes, 0 packets | |
| local 10.0.0.0/24 | |
| remote 10.0.0.2/32 | |
| alice: #1, ESTABLISHED, IKEv2, 1a0067d03deb6537_i 76ebfdb78048f0d4_r* | |
| local 'moon' @ 192.168.1.3[4500] | |
| remote 'alice' @ 192.168.1.1[4500] [10.0.0.1] | |
| AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519 | |
| established 451s ago, rekeying in 13420s | |
| alice: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA2_256_128 | |
| installed 451s ago, rekeying in 2812s, expires in 3509s | |
| in c8538487, 0 bytes, 0 packets | |
| out c890d03e, 0 bytes, 0 packets | |
| local 10.0.0.0/24 | |
| remote 10.0.0.1/32 | |
| $ ip a | |
| 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 | |
| link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 | |
| inet 127.0.0.1/8 scope host lo | |
| valid_lft forever preferred_lft forever | |
| inet6 ::1/128 scope host | |
| valid_lft forever preferred_lft forever | |
| 2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 | |
| link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff | |
| 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 | |
| link/ether 52:54:00:12:01:03 brd ff:ff:ff:ff:ff:ff | |
| inet 192.168.1.3/24 scope global eth1 | |
| valid_lft forever preferred_lft forever | |
| inet6 fe80::5054:ff:fe12:103/64 scope link | |
| valid_lft forever preferred_lft forever | |
| $ ip route | |
| 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.3 | |
| $ ip route list table 220 | |
| $ ip -s xfrm policy | |
| src 10.0.0.0/24 dst 10.0.0.2/32 uid 0 | |
| dir out action allow index 89 priority 371327 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:11:21 use - | |
| tmpl src 192.168.1.3 dst 192.168.1.2 | |
| proto esp spi 0xcec507cf(3469019087) reqid 2(0x00000002) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 10.0.0.2/32 dst 10.0.0.0/24 uid 0 | |
| dir fwd action allow index 106 priority 371327 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:11:21 use - | |
| tmpl src 192.168.1.2 dst 192.168.1.3 | |
| proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 10.0.0.2/32 dst 10.0.0.0/24 uid 0 | |
| dir in action allow index 96 priority 371327 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:11:21 use - | |
| tmpl src 192.168.1.2 dst 192.168.1.3 | |
| proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 10.0.0.0/24 dst 10.0.0.1/32 uid 0 | |
| dir out action allow index 65 priority 371327 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:06:22 use - | |
| tmpl src 192.168.1.3 dst 192.168.1.1 | |
| proto esp spi 0xc890d03e(3364933694) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 10.0.0.1/32 dst 10.0.0.0/24 uid 0 | |
| dir fwd action allow index 82 priority 371327 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:06:22 use - | |
| tmpl src 192.168.1.1 dst 192.168.1.3 | |
| proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 10.0.0.1/32 dst 10.0.0.0/24 uid 0 | |
| dir in action allow index 72 priority 371327 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:06:22 use - | |
| tmpl src 192.168.1.1 dst 192.168.1.3 | |
| proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel | |
| level required share any | |
| enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff | |
| src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 | |
| socket in action allow index 59 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use 2017-09-05 19:11:21 | |
| src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 | |
| socket out action allow index 52 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use 2017-09-05 19:11:21 | |
| src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 | |
| socket in action allow index 43 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use 2017-09-05 19:11:21 | |
| src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 | |
| socket out action allow index 36 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use 2017-09-05 19:11:21 | |
| src ::/0 dst ::/0 uid 0 | |
| socket in action allow index 27 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| src ::/0 dst ::/0 uid 0 | |
| socket out action allow index 20 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| src ::/0 dst ::/0 uid 0 | |
| socket in action allow index 11 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| src ::/0 dst ::/0 uid 0 | |
| socket out action allow index 4 priority 0 share any flag (0x00000000) | |
| lifetime config: | |
| limit: soft 0(bytes), hard 0(bytes) | |
| limit: soft 0(packets), hard 0(packets) | |
| expire add: soft 0(sec), hard 0(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:05:45 use - | |
| $ ip -s xfrm state | |
| src 192.168.1.3 dst 192.168.1.2 | |
| proto esp spi 0xcec507cf(3469019087) reqid 2(0x00000002) mode tunnel | |
| replay-window 0 seq 0x00000000 flag af-unspec (0x00100000) | |
| auth-trunc hmac(sha256) 0x9dcc77ed0ad76d51c3237a55aa05e13064aa734347d557129aceea3bb2c15176 (256 bits) 128 | |
| enc cbc(aes) 0x4c15691d02392fd511b070c6ce9a090a (128 bits) | |
| anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 3479(sec), hard 3960(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:11:21 use - | |
| stats: | |
| replay-window 0 replay 0 failed 0 | |
| src 192.168.1.2 dst 192.168.1.3 | |
| proto esp spi 0xc81cedb0(3357339056) reqid 2(0x00000002) mode tunnel | |
| replay-window 32 seq 0x00000000 flag af-unspec (0x00100000) | |
| auth-trunc hmac(sha256) 0x05c98ea8705ed13c55c4fd650d314044b9a92bbe088c9af2fbbf007b03909e45 (256 bits) 128 | |
| enc cbc(aes) 0xac840a5ba1434f94d9ef1c6d5504351f (128 bits) | |
| anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 3382(sec), hard 3960(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:11:21 use - | |
| stats: | |
| replay-window 0 replay 0 failed 0 | |
| src 192.168.1.3 dst 192.168.1.1 | |
| proto esp spi 0xc890d03e(3364933694) reqid 1(0x00000001) mode tunnel | |
| replay-window 0 seq 0x00000000 flag af-unspec (0x00100000) | |
| auth-trunc hmac(sha256) 0xc2ea9acec79ad952321d77b0db201a1a0f545461e08db492d5877c0331be371e (256 bits) 128 | |
| enc cbc(aes) 0xd1f8588fae85eece46275854e5a33565 (128 bits) | |
| anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 3339(sec), hard 3960(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:06:22 use - | |
| stats: | |
| replay-window 0 replay 0 failed 0 | |
| src 192.168.1.1 dst 192.168.1.3 | |
| proto esp spi 0xc8538487(3360916615) reqid 1(0x00000001) mode tunnel | |
| replay-window 32 seq 0x00000000 flag af-unspec (0x00100000) | |
| auth-trunc hmac(sha256) 0x9e0ca327f57fe3ded670e46df234941ce11100c3b03bc98999c2d40d87df5b6b (256 bits) 128 | |
| enc cbc(aes) 0xc0c52fe740fb9365cf25e933efba0325 (128 bits) | |
| anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 | |
| lifetime config: | |
| limit: soft (INF)(bytes), hard (INF)(bytes) | |
| limit: soft (INF)(packets), hard (INF)(packets) | |
| expire add: soft 3263(sec), hard 3960(sec) | |
| expire use: soft 0(sec), hard 0(sec) | |
| lifetime current: | |
| 0(bytes), 0(packets) | |
| add 2017-09-05 19:06:22 use - | |
| stats: | |
| replay-window 0 replay 0 failed 0 | |
| $ iptables -S | |
| -P INPUT ACCEPT | |
| -P FORWARD ACCEPT | |
| -P OUTPUT ACCEPT | |
| -A FORWARD -s 10.0.0.2/32 -d 10.0.0.0/24 -i eth1 -m policy --dir in --pol ipsec --reqid 2 --proto esp -j ACCEPT | |
| -A FORWARD -s 10.0.0.0/24 -d 10.0.0.2/32 -o eth1 -m policy --dir out --pol ipsec --reqid 2 --proto esp -j ACCEPT | |
| -A FORWARD -s 10.0.0.1/32 -d 10.0.0.0/24 -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT | |
| -A FORWARD -s 10.0.0.0/24 -d 10.0.0.1/32 -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment