SHOW:
|
|
- or go back to the newest paste.
1 | Both: | |
2 | conn %default | |
3 | ikelifetime=60m | |
4 | keylife=20m | |
5 | rekeymargin=3m | |
6 | keyingtries=1 | |
7 | authby=secret | |
8 | keyexchange=ikev2 | |
9 | mobike=no | |
10 | ||
11 | ||
12 | -------------------------------------------------------- | |
13 | ||
14 | Node v5141: | |
15 | conn quicknet-availo | |
16 | left=1.2.3.4 | |
17 | leftsubnet=172.16.0.0/16 | |
18 | leftid=@v5141 | |
19 | leftfirewall=yes | |
20 | right=4.3.2.1 | |
21 | rightsubnet=10.0.0.0/8 | |
22 | rightid=@v6116 | |
23 | forceencaps=yes | |
24 | auto=add | |
25 | ||
26 | -------------------------------------------------------- | |
27 | ||
28 | Node v6116: | |
29 | conn quicknet-availo | |
30 | left=4.3.2.1 | |
31 | leftsubnet=10.0.0.0/8 | |
32 | leftid=@v6116 | |
33 | leftfirewall=yes | |
34 | right=1.2.3.4 | |
35 | rightsubnet=172.16.0.0/16 | |
36 | rightid=@v5141 | |
37 | forceencaps=yes | |
38 | auto=add | |
39 | ||
40 | -------------------------------------------------------- | |
41 | ||
42 | root@v5141: ~ #> ipsec statusall | |
43 | Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-61-generic, x86_64): | |
44 | uptime: 79 minutes, since Jul 30 14:33:22 2015 | |
45 | malloc: sbrk 2433024, mmap 0, used 346928, free 2086096 | |
46 | worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2 | |
47 | loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock | |
48 | Listening IP addresses: | |
49 | 1.2.3.4 | |
50 | Connections: | |
51 | quicknet-availo: 1.2.3.4...4.3.2.1 IKEv2 | |
52 | quicknet-availo: local: [v5141] uses pre-shared key authentication | |
53 | quicknet-availo: remote: [v6116] uses pre-shared key authentication | |
54 | quicknet-availo: child: 172.16.0.0/16 === 10.0.0.0/8 TUNNEL | |
55 | Security Associations (1 up, 0 connecting): | |
56 | quicknet-availo[4]: ESTABLISHED 21 minutes ago, 1.2.3.4[v5141]...4.3.2.1[v6116] | |
57 | quicknet-availo[4]: IKEv2 SPIs: fdd39a4062ab8d16_i 9db30a609e063eb7_r*, pre-shared key reauthentication in 33 minutes | |
58 | quicknet-availo[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 | |
59 | quicknet-availo{4}: INSTALLED, TUNNEL, ESP in UDP SPIs: ca25ba32_i c9265656_o | |
60 | quicknet-availo{4}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 468 bytes_o (6 pkts, 279s ago), rekeying in 7 minutes | |
61 | quicknet-availo{4}: 172.16.0.0/16 === 10.0.0.0/8 | |
62 | ||
63 | root@v5141: ~ #> ip route list table 220 | |
64 | root@v5141: ~ #> | |
65 | root@v5141: ~ #> ip xfrm policy | |
66 | src 10.0.0.0/8 dst 172.16.0.0/16 | |
67 | dir fwd priority 1923 | |
68 | tmpl src 4.3.2.1 dst 1.2.3.4 | |
69 | proto esp reqid 4 mode tunnel | |
70 | src 10.0.0.0/8 dst 172.16.0.0/16 | |
71 | dir in priority 1923 | |
72 | tmpl src 4.3.2.1 dst 1.2.3.4 | |
73 | proto esp reqid 4 mode tunnel | |
74 | src 172.16.0.0/16 dst 10.0.0.0/8 | |
75 | dir out priority 1923 | |
76 | tmpl src 1.2.3.4 dst 4.3.2.1 | |
77 | - | proto esp reqid 4 mode tunnel |
77 | + | |
78 | ||
79 | root@v6116: ~ #> ipsec up quicknet-availo | |
80 | initiating IKE_SA quicknet-availo[3] to 1.2.3.4 | |
81 | generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] | |
82 | sending packet: from 4.3.2.1[500] to 1.2.3.4[500] (1212 bytes) | |
83 | received packet: from 1.2.3.4[500] to 4.3.2.1[500] (440 bytes) | |
84 | parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] | |
85 | remote host is behind NAT | |
86 | authentication of 'v6116' (myself) with pre-shared key | |
87 | establishing CHILD_SA quicknet-availo | |
88 | generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] | |
89 | sending packet: from 4.3.2.1[4500] to 1.2.3.4[4500] (380 bytes) | |
90 | received packet: from 1.2.3.4[4500] to 4.3.2.1[4500] (220 bytes) | |
91 | parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ] | |
92 | authentication of 'v5141' with pre-shared key successful | |
93 | IKE_SA quicknet-availo[3] established between 4.3.2.1[v6116]...1.2.3.4[v5141] | |
94 | scheduling reauthentication in 3325s | |
95 | maximum IKE_SA lifetime 3505s | |
96 | CHILD_SA quicknet-availo{3} established with SPIs c98d9ef0_i c7e79260_o and TS 10.0.0.0/8 === 172.16.0.0/16 | |
97 | connection 'quicknet-availo' established successfully |