Advertisement
Guest User

Untitled

a guest
Mar 6th, 2020
208
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.52 KB | None
  1. prod [root@dcvpnl001prpitx ~]# cat /etc/strongswan/ipsec.conf
  2.  
  3. conn Tunnel1
  4. auto=start
  5. left=31.157.3.161
  6. leftid=31.157.3.161
  7. right=52.220.221.17
  8. rightid=52.220.221.17
  9. type=tunnel
  10. authby=psk
  11. ikelifetime=28800s
  12. lifetime=3600s
  13. ike=aes128-sha1-modp1024!
  14. esp=aes128-sha1-modp1024!
  15. keyexchange=ikev1
  16. dpddelay=10s
  17. dpdtimeout=30s
  18. dpdaction=restart
  19. rekey=yes
  20. reauth=no
  21. dpdaction=restart
  22. closeaction=restart
  23. #NEW:
  24. compress=no
  25. mobike=no
  26. leftupdown=/tmp/vti.sh
  27. installpolicy=yes
  28. mark=100
  29. aggressive=no
  30. rightsubnet=0.0.0.0/0
  31. leftsubnet=0.0.0.0/0
  32.  
  33.  
  34. vti.sh
  35.  
  36. IP=$(which ip)
  37. IPTABLES=$(which iptables)
  38.  
  39. PLUTO_MARK_OUT_ARR=(${PLUTO_MARK_OUT//// })
  40. PLUTO_MARK_IN_ARR=(${PLUTO_MARK_IN//// })
  41. VTI_INTERFACE=vti1
  42. VTI_LOCALADDR=169.254.13.210/30
  43. VTI_REMOTEADDR=169.254.13.209/30
  44.  
  45. case "${PLUTO_VERB}" in
  46. up-client)
  47. echo "DOING" >> /tmp/shit2.txt
  48. #$IP tunnel add ${VTI_INTERFACE} mode vti local ${PLUTO_ME} remote ${PLUTO_PEER} okey ${PLUTO_MARK_OUT_ARR[0]} ikey ${PLUTO_MARK_IN_ARR[0]}
  49. $IP link add ${VTI_INTERFACE} type vti local ${PLUTO_ME} remote ${PLUTO_PEER} okey ${PLUTO_MARK_OUT_ARR[0]} ikey ${PLUTO_MARK_IN_ARR[0]}
  50. sysctl -w net.ipv4.conf.${VTI_INTERFACE}.disable_policy=1
  51. sysctl -w net.ipv4.conf.${VTI_INTERFACE}.rp_filter=2 || sysctl -w net.ipv4.conf.${VTI_INTERFACE}.rp_filter=0
  52. $IP addr add ${VTI_LOCALADDR} remote ${VTI_REMOTEADDR} dev ${VTI_INTERFACE}
  53. $IP link set ${VTI_INTERFACE} up mtu 1436
  54. $IPTABLES -t mangle -I FORWARD -o ${VTI_INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  55. $IPTABLES -t mangle -I INPUT -p esp -s ${PLUTO_PEER} -d ${PLUTO_ME} -j MARK --set-xmark ${PLUTO_MARK_IN}
  56. $IP route flush table 220
  57. #/etc/init.d/bgpd reload || /etc/init.d/quagga force-reload bgpd
  58.  
  59. ;;
  60. down-client)
  61. #$IP tunnel del ${VTI_INTERFACE}
  62. $IP link del ${VTI_INTERFACE}
  63. $IPTABLES -t mangle -D FORWARD -o ${VTI_INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  64. $IPTABLES -t mangle -D INPUT -p esp -s ${PLUTO_PEER} -d ${PLUTO_ME} -j MARK --set-xmark ${PLUTO_MARK_IN}
  65. ;;
  66. esac
  67.  
  68. # Enable IPv4 forwarding
  69. sysctl -w net.ipv4.ip_forward=1
  70. #sysctl -w net.ipv4.conf.vti1.disable_xfrm=1
  71. sysctl -w net.ipv4.conf.vti1.disable_policy=1
  72.  
  73. prod [root@dcvpnl001prpitx ~]# strongswan statusall
  74. Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-1062.12.1.el7.x86_64, x86_64):
  75. uptime: 5 hours, since Mar 06 12:51:40 2020
  76. malloc: sbrk 2813952, mmap 0, used 624432, free 2189520
  77. worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  78. loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
  79. Listening IP addresses:
  80. 10.254.1.179
  81. 10.254.1.183
  82. 31.157.3.165
  83. 10.254.1.181
  84. 31.157.3.163
  85. 169.254.13.210
  86. Connections:
  87. Tunnel1: 31.157.3.161...52.220.221.17 IKEv1, dpddelay=10s
  88. Tunnel1: local: [31.157.3.161] uses pre-shared key authentication
  89. Tunnel1: remote: [52.220.221.17] uses pre-shared key authentication
  90. Tunnel1: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
  91. Security Associations (1 up, 0 connecting):
  92. Tunnel1[1]: ESTABLISHED 5 hours ago, 31.157.3.161[31.157.3.161]...52.220.221.17[52.220.221.17]
  93. Tunnel1[1]: IKEv1 SPIs: 297aeb5c61efa080_i* 98c91cbea186f181_r, rekeying in 2 hours
  94. Tunnel1[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  95. Tunnel1{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cd6e196f_i 856fcf92_o
  96. Tunnel1{8}: AES_CBC_128/HMAC_SHA1_96/MODP_1024, 18581 bytes_i (300 pkts, 2s ago), 17712 bytes_o (288 pkts, 49s ago), rekeying in 23 minutes
  97. Tunnel1{8}: 0.0.0.0/0 === 0.0.0.0/0
  98.  
  99. prod [root@dcvpnl001prpitx ~]# ip xfrm state
  100. src 31.157.3.161 dst 52.220.221.17
  101. proto esp spi 0x856fcf92 reqid 1 mode tunnel
  102. replay-window 0 flag af-unspec
  103. mark 0x64/0xffffffff
  104. auth-trunc hmac(sha1) 0x68e44fed96cb817a93110bef1ba0b2ae516d4d59 96
  105. enc cbc(aes) 0x133b02616f46c58d44d04a3a5c7efa52
  106. encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
  107. anti-replay context: seq 0x0, oseq 0x120, bitmap 0x00000000
  108. src 52.220.221.17 dst 31.157.3.161
  109. proto esp spi 0xcd6e196f reqid 1 mode tunnel
  110. replay-window 32 flag af-unspec
  111. auth-trunc hmac(sha1) 0x343d76173b8f242a751a8299ce6aa4631bedf190 96
  112. enc cbc(aes) 0xdcf0b201a3ddddc54b1b44b13e977e25
  113. encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
  114. anti-replay context: seq 0x12f, oseq 0x0, bitmap 0xffffffff
  115.  
  116.  
  117. ip -s tunnel show
  118. vti1: ip/ip remote 52.220.221.17 local 31.157.3.161 ttl inherit nopmtudisc key 100
  119. RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts
  120. 2879 201012 0 0 0 0
  121. TX: Packets Bytes Errors DeadLoop NoRoute NoBufs
  122. 7994 568738 294 0 294 0
  123.  
  124. ip route get 10.64.32.0
  125. 10.64.32.0 via 169.254.13.209 dev vti1 src 169.254.13.210
  126. cache
Advertisement
RAW Paste Data Copied
Advertisement