miguemely · December 9, 2016 04:38
diff --git a/DN42-ChrisConvo b/DN42-ChrisConvo
 chrismoos> does your ipsec support public keys?
 <chrismoos> or just PSK
 <miguelr> seems I can do public keys.
 <chrismoos>  [znc] User not connected. Notification message sent.
 <chrismoos> cool
 <miguelr> Oh, seems ZNC doesnt like you haha.
 <chrismoos>  [znc] User not connected. Notification message sent.
 <chrismoos> ?
 <miguelr> "<chrismoos>  [znc] User not connected. Notification message sent."
 <chrismoos>  [znc] User not connected. Notification message sent.
 <chrismoos> oh, weird
 <miguelr> Yeah.
 <chrismoos>  [znc] User not connected. Notification message sent.
 <chrismoos> is that from my side or yours?
 <miguelr> your side.
 <chrismoos>  [znc] User not connected. Notification message sent.
 <miguelr> Since I'm not on ZNC.
 <chrismoos>  [znc] User not connected. Notification message sent.
 <chrismoos> hmm, weird
 <miguelr> agreed
 <chrismoos>  [znc] User not connected. Notification message sent.
 <chrismoos> i use a notify plugin
 <chrismoos> sends me email
 <miguelr> Figured
 <chrismoos>  [znc] User not connected. Notification message sent.
 <miguelr> You must be getting spammed right about now.
 <chrismoos>  [znc] User not connected. Notification message sent.
 <miguelr> Let me generate a public key for you...
 <chrismoos>  [znc] User not connected. Notification message sent.
 * chrismoos has quit (Remote host closed the connection)
 <chrismoos> there?
 <chrismoos> recompiled znc module and it crashed
 <chrismoos> yeah, if you can send me your public key
 <miguelr> yeah
 <miguelr> give me asec
 <miguelr> EdgeOS decides to be special and output it a certain way
 <miguelr> I mean I got this
 <miguelr> 0sAwEAAdsIlEm6dH2JZPJbyXZ+EwEH7ItAtLKc06ljRzLFOVyfvz9LtGxrxjfLDZIv14pkzZs/oD7wGB
 <miguelr> 1Fl7Yu3+jwH6G6oSY3b+/QMawH6Lex5gaC3pSMaCnEJkOA5LO9Sbgc/JQFk77PW0AzUf2eZAJn7CXiK2
 <miguelr> +y3P13WJRav0bMBZuFbkld9PBjbEdEveQLiEVQ+P50vvVnytGhpooWbnsd9IUZrKVW/6ux9yIlk0TawG
 <miguelr> Np7ohQYWn5ZsZq8uUhZBuPDvh5kem9Bowj8nYwtcwl6lpIINYbADb/0QQeoeTEs9s8qNz53GJs3XZuiy
 <miguelr> dWdGIO86iG6Gs/CgW7WEJ08YSHZDVjD6xYuPKlGCvCTW4wRmL2+yJOUGxNzqxvpDUxmKPGOaBoFvWHNJ
 <miguelr> tj1tEKgE7kd0L6+3Znocki1ixm6btUIqnPytJ7jjK7BALSquYFmpjfN5OojoY2u2DHZwkJDUbCbxIVb3
 <miguelr> kbevMGEB+slLB7LLpPl1rA2qwzSNbvGce0FD//YpRRpHzW30h/f+/pXwoYbf6uoUbIM4nR25jJmUXr8P
 <miguelr> K2vIZ+vcWtCX1ipXGXcMaShD5hNEjsLf1b+fPGCsfQCuOTIh4PxUjg+DPbubUxOF8ost8x/AbHBZZ+ck
 <miguelr> Le8pJYIa4RwRwFScV1zTnjrUV/pRdv/E5LN23+ZrVnXHW6uyc1
 <miguelr> but that doesnt seem right.
 <miguelr> http://pastebin.com/BRUwnJEH heres the pastebin version
 <miguelr> Bingo. Got it in a block.
 <miguelr> https://gist.github.com/miguemely/e83ee1c0ee9aced310500fb57a429dc1
 <miguelr> Hopefully that works for you.
 <chrismoos> yeah
 <chrismoos> great
 <chrismoos> here are my details
 <chrismoos> https://www.chrismoos.com/dn42-peering
 <chrismoos> can you set yours to: ike=aes256-sha256-modp1536!
 <chrismoos> esp=aes256-sha256-modp1536!
 <miguelr> Let me see how I can translate that to EdgeOS... haha
 <miguelr> tunnel mode for esp, i would imagine
 <miguelr> Curious, ikev1 or ikev2
 <chrismoos> ikev2
 <miguelr> Hmm... Don't know why it isn't connecting.
 <chrismoos> received AUTHENTICATION_FAILED notify error
 <chrismoos> can you check your log?
 <miguelr> Let me see where it is.
 <miguelr> Well I think i found the issue
 <miguelr> Connections:
 <miguelr> peer-107.170.29.134-tunnel-0:  73.1.142.180...107.170.29.134  IKEv2
 <miguelr> peer-107.170.29.134-tunnel-0:   local:  [73.1.142.180] uses public key authentication
 <miguelr> peer-107.170.29.134-tunnel-0:    cert:  "73.1.142.180"
 <miguelr> peer-107.170.29.134-tunnel-0:   remote: [107.170.29.134] uses public key authentication
 <miguelr> peer-107.170.29.134-tunnel-0:    cert:  "107.170.29.134"
 <miguelr> peer-107.170.29.134-tunnel-0:   child:  dynamic[gre] === dynamic[gre] TUNNEL
 <chrismoos> there we go
 <miguelr> ?
 <chrismoos> had to fix my id to use ip instead of DNS
 <miguelr> ah
 <miguelr> now to setup BGP.
 <chrismoos> let me send you my tunnel ip
 <miguelr> Alright.
 <chrismoos> 172.20.186.181
 <chrismoos> yours?
 <chrismoos> now, typically we setup a /31
 <chrismoos> for the tunnel
 <chrismoos> does that work for you?
 <chrismoos> 172.20.186.181/31
 <chrismoos> i'd be .181, you are .182
 <miguelr> Thats fine.
 <miguelr> Hold on
 <miguelr> Trying to learn this little by little.
 <chrismoos> cool
 <miguelr> By tunnel IP your refering to IP I assigned this router to the DN42net?
 <chrismoos> no, it's a separate thing
 <miguelr> and thats where I get lost, haha.
 <chrismoos> think of two servers next to each other with a GRE tunnel and a cable to each other
 <chrismoos> there is an interface on each side
 <chrismoos> if you setup a p2p link typically a /31 is used...meaning one ip address for each node
 <chrismoos> it represents the *direct* connection between the two
 <miguelr> I see.
 <miguelr> So basically, the local and remote IP, give or take?
 <chrismoos> yeah, essentially, and specific to the interface (the GRE tunnel)
 <miguelr> and I assign it from my block?
 <chrismoos> so, if you can't handle the /31 CIDR syntax then just use the ipaddresses directly
 <miguelr> no I can do CIDR .
 <chrismoos> so, typically one person on the peering assigns a /31
 <chrismoos> which is me in this case
 <miguelr> Ok.
 <miguelr> And I would put that in local, correct?
 <chrismoos> so, you'd add 172.20.186.182/31
 <chrismoos> which says .182 is your side, and .181 is mine
 <miguelr> Ok.
 <miguelr> and remote would be the DN42 full prefix, or would that be something else?
 <miguelr> Sorry for making you give me a lesson here.
 <chrismoos> oh actually, sorry, switch your CIDR to 172.20.186.183/31
 <miguelr> Done.
 <chrismoos> so on your GRE you have local/remote addresses?
 <miguelr> I have local set to that CIDR
 <miguelr> remote should be DN42, correct?
 <chrismoos> okay, set remote to 172.20.186.182/31
 <chrismoos> so this is really just the p2p link and not even related to BGP/dn42 really
 <chrismoos> except that we use dn42 routeable addresses for our p2p link
 <miguelr> Ahh that makes sense.
 <miguelr> vpn restarting
 * Disconnected (Connection reset by peer)
 * miguelr sets mode +i on miguelr
 -NickServ- This nickname is registered. Please choose a different nickname, or identify via /msg NickServ identify <password>.
 <miguelr> well something happened
 -NickServ- You are now identified for miguelr.
 -NickServ- 1 failed login since last login.
 -NickServ- Last failed attempt from: [email protected] on Dec 06 04:46:40 2016 +0000.
 <chrismoos> try dropping the CIDR, just use the addresses
 <miguelr> makes me use a CIDR.
 <miguelr> I do know on my old IPSec with another friends net, we used local for the subnet I had and remote for the complete subnet that everyone was on.
 <miguelr> Actually, let me ask this, do I have to change the interface IP (vlaned) from '172.20.235.33/27
 <miguelr> ', which would be my subnet?
 <chrismoos> it crashes when you set it?
 <miguelr> No, just bliped my internet for a second.
 <miguelr> and errors out saying (Invalid prefix)
 <miguelr> I do know the example config they have on DN42 doesnt make me set local or remote tho.
 <miguelr> And it connected fine without it.
 <chrismoos> https://wiki.dn42.us/howto/EdgeOS-GRE-IPsec-Example
 <chrismoos> tunnel tun0 {
 <chrismoos>         address 172.23.248.10/31
 <chrismoos>         description "CREST-DN42 AS64828"
 <chrismoos>         encapsulation gre
 <chrismoos>         local-ip 192.0.2.2
 <chrismoos>         mtu 1400
 <chrismoos>         multicast disable
 <chrismoos>         remote-ip 192.0.2.243
 <chrismoos>         ttl 255
 <chrismoos>     }
 <chrismoos> can you just set local-ip to 172.20.186.183
 <chrismoos> and remote-ip to 172.20.186.12
 <chrismoos> err, .182
 <miguelr> ohhh
 <miguelr> Ok I see now
 <miguelr> Let's try this...
 <miguelr> Did you get an error on your side?
 <miguelr> Connections:
 <miguelr> peer-107.170.29.134-tunnel-0:  73.1.142.180...107.170.29.134  IKEv2
 <miguelr> peer-107.170.29.134-tunnel-0:   local:  [73.1.142.180] uses public key authentication
 <miguelr> peer-107.170.29.134-tunnel-0:    cert:  "73.1.142.180"
 <miguelr> peer-107.170.29.134-tunnel-0:   remote: [107.170.29.134] uses public key authentication
 <miguelr> peer-107.170.29.134-tunnel-0:    cert:  "107.170.29.134"
 <miguelr> peer-107.170.29.134-tunnel-0:   child:  dynamic[gre] === dynamic[gre] TUNNEL
 <miguelr> oh it finally connected
 <chrismoos> yeah seems up
 <miguelr> Now from here...now what?
 <miguelr> I presume make a BGP using my AS?
 <chrismoos> still can't ping you
 <chrismoos> do you see the pings?
 <miguelr> Let me check the fw
 <miguelr> let me try pinging you. What should I ping? 
 <chrismoos> 172.20.186.182
 <miguelr> Hmm
 <miguelr> Yeah I can't ping you. What the hell
 <miguelr> hmm
 <miguelr> I configured remote and local and strongswan still does this
 <miguelr>   local  '73.1.142.180' @ 73.1.142.180
 <miguelr>   remote '107.170.29.134' @ 107.170.29.134
 <miguelr>   AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
 <miguelr>   established 675s ago, rekeying in 27336s
 <miguelr>   peer-107.170.29.134-tunnel-0: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
 <miguelr>     installed 675 ago, rekeying in 1892s, expires in 2925s
 <miguelr>     in  cf0d2001,  38124 bytes,   353 packets,     0s ago
 <miguelr>     out cd409182,      0 bytes,     0 packets
 <miguelr>     local  73.1.142.180/32[gre]
 <miguelr>     remote 107.170.29.134/32[gre]
 <chrismoos> seems like you are receiving packets from me
 <miguelr> Yeah I saw
 <miguelr> but nothing out 
 <miguelr> let me check rules one last time
 <miguelr> Hopefully this update should fix it.
 * Disconnected (Connection reset by peer)
 * Disconnected (Connection reset by peer)
 * Disconnected (Connection reset by peer)
 * Disconnected (Connection reset by peer)
 * Disconnected (Connection reset by peer)
 * Disconnected (Connection reset by peer)
 <miguelr> Hey you awake? I think I can make this easier now.
 <miguelr> https://gist.github.com/miguemely/eb0b8832cbe16c62ffa01a1f1ab88f1e is the new key. Hopefully, I can set this up correctly.
 <miguelr> Using Mikrotik now.
 <chrismoos> hey
 <chrismoos> so you want to try again?
 <chrismoos> let me add your key
 <chrismoos> same IP address?
 <miguelr> Yup
 <miguelr> I'm also trying with Elephant
 <chrismoos> hm, i get no response
 <chrismoos> make sure your firewall allows ipsec
 <miguelr> I turrned it off
 <miguelr> one sec
 <miguelr> actually
 <miguelr> it should be on
 <chrismoos> sending packet: from 107.170.29.134[500] to 73.1.142.180[500] (368 bytes)
 <chrismoos> no response
 <miguelr> [email protected]] > ip addr print
 <miguelr> Flags: X - disabled, I - invalid, D - dynamic 
 <miguelr>  #   ADDRESS            NETWORK         INTERFACE                                
 <miguelr>  0   10.250.0.1/24      10.250.0.0      vlan5                                    
 <miguelr>  1   192.168.1.1/24     192.168.1.0     ether3                                   
 <miguelr>  2   10.254.1.1/24      10.254.1.0      vlan1                                    
 <miguelr>  3   10.203.0.1/16      10.203.0.0      vlan2                                    
 <miguelr>  4 D 73.1.142.180/22    73.1.140.0      ether1                                   
 <miguelr>  5   44.98.17.33/8      44.0.0.0        ucsd                                     
 <miguelr>  6   172.22.150.73/31   172.22.150.72   gre-tunnel1      
 <miguelr> woops
 <miguelr> http://i.netrouter.us/winbox_2016-12-08_15-56-56.jpg
 <miguelr> I got that
 <miguelr> So I recieved it
 <miguelr> It looks like im sending responses.
 <miguelr> http://i.netrouter.us/Wireshark_2016-12-08_16-22-37.jpg
 <chrismoos> okay, made progress
 <chrismoos> you were using ikev1
 <chrismoos> i've switch mine to ikev1 
 <chrismoos> what are your p2 settings?
 <chrismoos> algorithm
 <miguelr> should be the same set
 <miguelr> sorry not home atm
 <miguelr> on teamviewer
 <miguelr> You on?
 * [chrismoos] (~chrismoos@hackint/user/chrismoos): Chris Moos
 * [chrismoos] #tombii #dn42 #chaosvpn 
 * [chrismoos] ing.hackint.org :irc.hamburg.ccc.de
 * [chrismoos] is using a secure connection
 * [chrismoos] is logged in as chrismoos
 * [chrismoos] End of WHOIS list.
 <miguelr> Test?
	chrismoos> does your ipsec support public keys?
	<chrismoos> or just PSK
	<miguelr> seems I can do public keys.
	<chrismoos> [znc] User not connected. Notification message sent.
	<chrismoos> cool
	<miguelr> Oh, seems ZNC doesnt like you haha.
	<chrismoos> [znc] User not connected. Notification message sent.
	<chrismoos> ?
	<miguelr> "<chrismoos> [znc] User not connected. Notification message sent."
	<chrismoos> [znc] User not connected. Notification message sent.
	<chrismoos> oh, weird
	<miguelr> Yeah.
	<chrismoos> [znc] User not connected. Notification message sent.
	<chrismoos> is that from my side or yours?
	<miguelr> your side.
	<chrismoos> [znc] User not connected. Notification message sent.
	<miguelr> Since I'm not on ZNC.
	<chrismoos> [znc] User not connected. Notification message sent.
	<chrismoos> hmm, weird
	<miguelr> agreed
	<chrismoos> [znc] User not connected. Notification message sent.
	<chrismoos> i use a notify plugin
	<chrismoos> sends me email
	<miguelr> Figured
	<chrismoos> [znc] User not connected. Notification message sent.
	<miguelr> You must be getting spammed right about now.
	<chrismoos> [znc] User not connected. Notification message sent.
	<miguelr> Let me generate a public key for you...
	<chrismoos> [znc] User not connected. Notification message sent.
	* chrismoos has quit (Remote host closed the connection)
	<chrismoos> there?
	<chrismoos> recompiled znc module and it crashed
	<chrismoos> yeah, if you can send me your public key
	<miguelr> yeah
	<miguelr> give me asec
	<miguelr> EdgeOS decides to be special and output it a certain way
	<miguelr> I mean I got this
	<miguelr> 0sAwEAAdsIlEm6dH2JZPJbyXZ+EwEH7ItAtLKc06ljRzLFOVyfvz9LtGxrxjfLDZIv14pkzZs/oD7wGB
	<miguelr> 1Fl7Yu3+jwH6G6oSY3b+/QMawH6Lex5gaC3pSMaCnEJkOA5LO9Sbgc/JQFk77PW0AzUf2eZAJn7CXiK2
	<miguelr> +y3P13WJRav0bMBZuFbkld9PBjbEdEveQLiEVQ+P50vvVnytGhpooWbnsd9IUZrKVW/6ux9yIlk0TawG
	<miguelr> Np7ohQYWn5ZsZq8uUhZBuPDvh5kem9Bowj8nYwtcwl6lpIINYbADb/0QQeoeTEs9s8qNz53GJs3XZuiy
	<miguelr> dWdGIO86iG6Gs/CgW7WEJ08YSHZDVjD6xYuPKlGCvCTW4wRmL2+yJOUGxNzqxvpDUxmKPGOaBoFvWHNJ
	<miguelr> tj1tEKgE7kd0L6+3Znocki1ixm6btUIqnPytJ7jjK7BALSquYFmpjfN5OojoY2u2DHZwkJDUbCbxIVb3
	<miguelr> kbevMGEB+slLB7LLpPl1rA2qwzSNbvGce0FD//YpRRpHzW30h/f+/pXwoYbf6uoUbIM4nR25jJmUXr8P
	<miguelr> K2vIZ+vcWtCX1ipXGXcMaShD5hNEjsLf1b+fPGCsfQCuOTIh4PxUjg+DPbubUxOF8ost8x/AbHBZZ+ck
	<miguelr> Le8pJYIa4RwRwFScV1zTnjrUV/pRdv/E5LN23+ZrVnXHW6uyc1
	<miguelr> but that doesnt seem right.
	<miguelr> http://pastebin.com/BRUwnJEH heres the pastebin version
	<miguelr> Bingo. Got it in a block.
	<miguelr> https://gist.github.com/miguemely/e83ee1c0ee9aced310500fb57a429dc1
	<miguelr> Hopefully that works for you.
	<chrismoos> yeah
	<chrismoos> great
	<chrismoos> here are my details
	<chrismoos> https://www.chrismoos.com/dn42-peering
	<chrismoos> can you set yours to: ike=aes256-sha256-modp1536!
	<chrismoos> esp=aes256-sha256-modp1536!
	<miguelr> Let me see how I can translate that to EdgeOS... haha
	<miguelr> tunnel mode for esp, i would imagine
	<miguelr> Curious, ikev1 or ikev2
	<chrismoos> ikev2
	<miguelr> Hmm... Don't know why it isn't connecting.
	<chrismoos> received AUTHENTICATION_FAILED notify error
	<chrismoos> can you check your log?
	<miguelr> Let me see where it is.
	<miguelr> Well I think i found the issue
	<miguelr> Connections:
	<miguelr> peer-107.170.29.134-tunnel-0: 73.1.142.180...107.170.29.134 IKEv2
	<miguelr> peer-107.170.29.134-tunnel-0: local: [73.1.142.180] uses public key authentication
	<miguelr> peer-107.170.29.134-tunnel-0: cert: "73.1.142.180"
	<miguelr> peer-107.170.29.134-tunnel-0: remote: [107.170.29.134] uses public key authentication
	<miguelr> peer-107.170.29.134-tunnel-0: cert: "107.170.29.134"
	<miguelr> peer-107.170.29.134-tunnel-0: child: dynamic[gre] === dynamic[gre] TUNNEL
	<chrismoos> there we go
	<miguelr> ?
	<chrismoos> had to fix my id to use ip instead of DNS
	<miguelr> ah
	<miguelr> now to setup BGP.
	<chrismoos> let me send you my tunnel ip
	<miguelr> Alright.
	<chrismoos> 172.20.186.181
	<chrismoos> yours?
	<chrismoos> now, typically we setup a /31
	<chrismoos> for the tunnel
	<chrismoos> does that work for you?
	<chrismoos> 172.20.186.181/31
	<chrismoos> i'd be .181, you are .182
	<miguelr> Thats fine.
	<miguelr> Hold on
	<miguelr> Trying to learn this little by little.
	<chrismoos> cool
	<miguelr> By tunnel IP your refering to IP I assigned this router to the DN42net?
	<chrismoos> no, it's a separate thing
	<miguelr> and thats where I get lost, haha.
	<chrismoos> think of two servers next to each other with a GRE tunnel and a cable to each other
	<chrismoos> there is an interface on each side
	<chrismoos> if you setup a p2p link typically a /31 is used...meaning one ip address for each node
	<chrismoos> it represents the direct connection between the two
	<miguelr> I see.
	<miguelr> So basically, the local and remote IP, give or take?
	<chrismoos> yeah, essentially, and specific to the interface (the GRE tunnel)
	<miguelr> and I assign it from my block?
	<chrismoos> so, if you can't handle the /31 CIDR syntax then just use the ipaddresses directly
	<miguelr> no I can do CIDR .
	<chrismoos> so, typically one person on the peering assigns a /31
	<chrismoos> which is me in this case
	<miguelr> Ok.
	<miguelr> And I would put that in local, correct?
	<chrismoos> so, you'd add 172.20.186.182/31
	<chrismoos> which says .182 is your side, and .181 is mine
	<miguelr> Ok.
	<miguelr> and remote would be the DN42 full prefix, or would that be something else?
	<miguelr> Sorry for making you give me a lesson here.
	<chrismoos> oh actually, sorry, switch your CIDR to 172.20.186.183/31
	<miguelr> Done.
	<chrismoos> so on your GRE you have local/remote addresses?
	<miguelr> I have local set to that CIDR
	<miguelr> remote should be DN42, correct?
	<chrismoos> okay, set remote to 172.20.186.182/31
	<chrismoos> so this is really just the p2p link and not even related to BGP/dn42 really
	<chrismoos> except that we use dn42 routeable addresses for our p2p link
	<miguelr> Ahh that makes sense.
	<miguelr> vpn restarting
	* Disconnected (Connection reset by peer)
	* miguelr sets mode +i on miguelr
	-NickServ- This nickname is registered. Please choose a different nickname, or identify via /msg NickServ identify <password>.
	<miguelr> well something happened
	-NickServ- You are now identified for miguelr.
	-NickServ- 1 failed login since last login.
	-NickServ- Last failed attempt from: [email protected] on Dec 06 04:46:40 2016 +0000.
	<chrismoos> try dropping the CIDR, just use the addresses
	<miguelr> makes me use a CIDR.
	<miguelr> I do know on my old IPSec with another friends net, we used local for the subnet I had and remote for the complete subnet that everyone was on.
	<miguelr> Actually, let me ask this, do I have to change the interface IP (vlaned) from '172.20.235.33/27
	<miguelr> ', which would be my subnet?
	<chrismoos> it crashes when you set it?
	<miguelr> No, just bliped my internet for a second.
	<miguelr> and errors out saying (Invalid prefix)
	<miguelr> I do know the example config they have on DN42 doesnt make me set local or remote tho.
	<miguelr> And it connected fine without it.
	<chrismoos> https://wiki.dn42.us/howto/EdgeOS-GRE-IPsec-Example
	<chrismoos> tunnel tun0 {
	<chrismoos> address 172.23.248.10/31
	<chrismoos> description "CREST-DN42 AS64828"
	<chrismoos> encapsulation gre
	<chrismoos> local-ip 192.0.2.2
	<chrismoos> mtu 1400
	<chrismoos> multicast disable
	<chrismoos> remote-ip 192.0.2.243
	<chrismoos> ttl 255
	<chrismoos> }
	<chrismoos> can you just set local-ip to 172.20.186.183
	<chrismoos> and remote-ip to 172.20.186.12
	<chrismoos> err, .182
	<miguelr> ohhh
	<miguelr> Ok I see now
	<miguelr> Let's try this...
	<miguelr> Did you get an error on your side?
	<miguelr> Connections:
	<miguelr> peer-107.170.29.134-tunnel-0: 73.1.142.180...107.170.29.134 IKEv2
	<miguelr> peer-107.170.29.134-tunnel-0: local: [73.1.142.180] uses public key authentication
	<miguelr> peer-107.170.29.134-tunnel-0: cert: "73.1.142.180"
	<miguelr> peer-107.170.29.134-tunnel-0: remote: [107.170.29.134] uses public key authentication
	<miguelr> peer-107.170.29.134-tunnel-0: cert: "107.170.29.134"
	<miguelr> peer-107.170.29.134-tunnel-0: child: dynamic[gre] === dynamic[gre] TUNNEL
	<miguelr> oh it finally connected
	<chrismoos> yeah seems up
	<miguelr> Now from here...now what?
	<miguelr> I presume make a BGP using my AS?
	<chrismoos> still can't ping you
	<chrismoos> do you see the pings?
	<miguelr> Let me check the fw
	<miguelr> let me try pinging you. What should I ping?
	<chrismoos> 172.20.186.182
	<miguelr> Hmm
	<miguelr> Yeah I can't ping you. What the hell
	<miguelr> hmm
	<miguelr> I configured remote and local and strongswan still does this
	<miguelr> local '73.1.142.180' @ 73.1.142.180
	<miguelr> remote '107.170.29.134' @ 107.170.29.134
	<miguelr> AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
	<miguelr> established 675s ago, rekeying in 27336s
	<miguelr> peer-107.170.29.134-tunnel-0: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
	<miguelr> installed 675 ago, rekeying in 1892s, expires in 2925s
	<miguelr> in cf0d2001, 38124 bytes, 353 packets, 0s ago
	<miguelr> out cd409182, 0 bytes, 0 packets
	<miguelr> local 73.1.142.180/32[gre]
	<miguelr> remote 107.170.29.134/32[gre]
	<chrismoos> seems like you are receiving packets from me
	<miguelr> Yeah I saw
	<miguelr> but nothing out
	<miguelr> let me check rules one last time
	<miguelr> Hopefully this update should fix it.
	* Disconnected (Connection reset by peer)
	* Disconnected (Connection reset by peer)
	* Disconnected (Connection reset by peer)
	* Disconnected (Connection reset by peer)
	* Disconnected (Connection reset by peer)
	* Disconnected (Connection reset by peer)
	<miguelr> Hey you awake? I think I can make this easier now.
	<miguelr> https://gist.github.com/miguemely/eb0b8832cbe16c62ffa01a1f1ab88f1e is the new key. Hopefully, I can set this up correctly.
	<miguelr> Using Mikrotik now.
	<chrismoos> hey
	<chrismoos> so you want to try again?
	<chrismoos> let me add your key
	<chrismoos> same IP address?
	<miguelr> Yup
	<miguelr> I'm also trying with Elephant
	<chrismoos> hm, i get no response
	<chrismoos> make sure your firewall allows ipsec
	<miguelr> I turrned it off
	<miguelr> one sec
	<miguelr> actually
	<miguelr> it should be on
	<chrismoos> sending packet: from 107.170.29.134[500] to 73.1.142.180[500] (368 bytes)
	<chrismoos> no response
	<miguelr> [email protected]] > ip addr print
	<miguelr> Flags: X - disabled, I - invalid, D - dynamic
	<miguelr> # ADDRESS NETWORK INTERFACE
	<miguelr> 0 10.250.0.1/24 10.250.0.0 vlan5
	<miguelr> 1 192.168.1.1/24 192.168.1.0 ether3
	<miguelr> 2 10.254.1.1/24 10.254.1.0 vlan1
	<miguelr> 3 10.203.0.1/16 10.203.0.0 vlan2
	<miguelr> 4 D 73.1.142.180/22 73.1.140.0 ether1
	<miguelr> 5 44.98.17.33/8 44.0.0.0 ucsd
	<miguelr> 6 172.22.150.73/31 172.22.150.72 gre-tunnel1
	<miguelr> woops
	<miguelr> http://i.netrouter.us/winbox_2016-12-08_15-56-56.jpg
	<miguelr> I got that
	<miguelr> So I recieved it
	<miguelr> It looks like im sending responses.
	<miguelr> http://i.netrouter.us/Wireshark_2016-12-08_16-22-37.jpg
	<chrismoos> okay, made progress
	<chrismoos> you were using ikev1
	<chrismoos> i've switch mine to ikev1
	<chrismoos> what are your p2 settings?
	<chrismoos> algorithm
	<miguelr> should be the same set
	<miguelr> sorry not home atm
	<miguelr> on teamviewer
	<miguelr> You on?
	* [chrismoos] (~chrismoos@hackint/user/chrismoos): Chris Moos
	* [chrismoos] #tombii #dn42 #chaosvpn
	* [chrismoos] ing.hackint.org :irc.hamburg.ccc.de
	* [chrismoos] is using a secure connection
	* [chrismoos] is logged in as chrismoos
	* [chrismoos] End of WHOIS list.
	<miguelr> Test?