Untitled

prod [root@dcvpnl001prpitx ~]# cat /etc/strongswan/ipsec.conf

conn Tunnel1
 auto=start
 left=31.157.3.161
 leftid=31.157.3.161
 right=52.220.221.17
 rightid=52.220.221.17
 type=tunnel
 authby=psk
 ikelifetime=28800s
 lifetime=3600s
 ike=aes128-sha1-modp1024!
 esp=aes128-sha1-modp1024!
 keyexchange=ikev1
 dpddelay=10s
 dpdtimeout=30s
 dpdaction=restart
 rekey=yes
 reauth=no
 dpdaction=restart
 closeaction=restart
#NEW:
 compress=no
 mobike=no
 leftupdown=/tmp/vti.sh
 installpolicy=yes
 mark=100
 aggressive=no
 rightsubnet=0.0.0.0/0
 leftsubnet=0.0.0.0/0


vti.sh

IP=$(which ip)
IPTABLES=$(which iptables)

PLUTO_MARK_OUT_ARR=(${PLUTO_MARK_OUT//// })
PLUTO_MARK_IN_ARR=(${PLUTO_MARK_IN//// })
VTI_INTERFACE=vti1
VTI_LOCALADDR=169.254.13.210/30
VTI_REMOTEADDR=169.254.13.209/30

case "${PLUTO_VERB}" in
    up-client)
        echo "DOING" >> /tmp/shit2.txt
        #$IP tunnel add ${VTI_INTERFACE} mode vti local ${PLUTO_ME} remote ${PLUTO_PEER} okey ${PLUTO_MARK_OUT_ARR[0]} ikey ${PLUTO_MARK_IN_ARR[0]}
        $IP link add ${VTI_INTERFACE} type vti local ${PLUTO_ME} remote ${PLUTO_PEER} okey ${PLUTO_MARK_OUT_ARR[0]} ikey ${PLUTO_MARK_IN_ARR[0]}
        sysctl -w net.ipv4.conf.${VTI_INTERFACE}.disable_policy=1
        sysctl -w net.ipv4.conf.${VTI_INTERFACE}.rp_filter=2 || sysctl -w net.ipv4.conf.${VTI_INTERFACE}.rp_filter=0
        $IP addr add ${VTI_LOCALADDR} remote ${VTI_REMOTEADDR} dev ${VTI_INTERFACE}
        $IP link set ${VTI_INTERFACE} up mtu 1436
        $IPTABLES -t mangle -I FORWARD -o ${VTI_INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
        $IPTABLES -t mangle -I INPUT -p esp -s ${PLUTO_PEER} -d ${PLUTO_ME} -j MARK --set-xmark ${PLUTO_MARK_IN}
        $IP route flush table 220
        #/etc/init.d/bgpd reload || /etc/init.d/quagga force-reload bgpd

        ;;
    down-client)
        #$IP tunnel del ${VTI_INTERFACE}
        $IP link del ${VTI_INTERFACE}
$IPTABLES -t mangle -D FORWARD -o ${VTI_INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
        $IPTABLES -t mangle -D INPUT -p esp -s ${PLUTO_PEER} -d ${PLUTO_ME} -j MARK --set-xmark ${PLUTO_MARK_IN}
        ;;
esac

# Enable IPv4 forwarding
sysctl -w net.ipv4.ip_forward=1
#sysctl -w net.ipv4.conf.vti1.disable_xfrm=1
sysctl -w net.ipv4.conf.vti1.disable_policy=1

prod [root@dcvpnl001prpitx ~]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-1062.12.1.el7.x86_64, x86_64):
  uptime: 5 hours, since Mar 06 12:51:40 2020
  malloc: sbrk 2813952, mmap 0, used 624432, free 2189520
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Listening IP addresses:
  10.254.1.179
  10.254.1.183
  31.157.3.165
  10.254.1.181
  31.157.3.163
  169.254.13.210
Connections:
     Tunnel1:  31.157.3.161...52.220.221.17  IKEv1, dpddelay=10s
     Tunnel1:   local:  [31.157.3.161] uses pre-shared key authentication
     Tunnel1:   remote: [52.220.221.17] uses pre-shared key authentication
     Tunnel1:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
     Tunnel1[1]: ESTABLISHED 5 hours ago, 31.157.3.161[31.157.3.161]...52.220.221.17[52.220.221.17]
     Tunnel1[1]: IKEv1 SPIs: 297aeb5c61efa080_i* 98c91cbea186f181_r, rekeying in 2 hours
     Tunnel1[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
     Tunnel1{8}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cd6e196f_i 856fcf92_o
     Tunnel1{8}:  AES_CBC_128/HMAC_SHA1_96/MODP_1024, 18581 bytes_i (300 pkts, 2s ago), 17712 bytes_o (288 pkts, 49s ago), rekeying in 23 minutes
     Tunnel1{8}:   0.0.0.0/0 === 0.0.0.0/0

prod [root@dcvpnl001prpitx ~]# ip xfrm state
src 31.157.3.161 dst 52.220.221.17
        proto esp spi 0x856fcf92 reqid 1 mode tunnel
        replay-window 0 flag af-unspec
        mark 0x64/0xffffffff
        auth-trunc hmac(sha1) 0x68e44fed96cb817a93110bef1ba0b2ae516d4d59 96
        enc cbc(aes) 0x133b02616f46c58d44d04a3a5c7efa52
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x120, bitmap 0x00000000
src 52.220.221.17 dst 31.157.3.161
        proto esp spi 0xcd6e196f reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha1) 0x343d76173b8f242a751a8299ce6aa4631bedf190 96
        enc cbc(aes) 0xdcf0b201a3ddddc54b1b44b13e977e25
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x12f, oseq 0x0, bitmap 0xffffffff


ip -s tunnel show
vti1: ip/ip remote 52.220.221.17 local 31.157.3.161 ttl inherit nopmtudisc key 100
RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts
    2879       201012       0      0        0        0
TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs
    7994       568738       294    0        294      0

ip route get 10.64.32.0
10.64.32.0 via 169.254.13.209 dev vti1 src 169.254.13.210
    cache