SHARE
TWEET

Untitled

a guest Jul 23rd, 2019 100 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Our private IP address:
  2. 10.1.1.2
  3. Our S-NAT IP address:
  4. 172.16.0.1
  5. Our Pubic/EIP address:
  6. 1.1.1.1
  7. CheckPoint GW:
  8. 2.2.2.2
  9. Instance behind CheckPoint:
  10. 192.168.1.1
  11.      
  12. config setup
  13.     # strictcrlpolicy=yes
  14.     # uniqueids = no
  15.     charondebug="ike 2, knl 2, cfg 2"
  16.  
  17. conn %default
  18.     keyexchange=ikev2
  19.     ike=aes256-sha256-modp2048
  20.     ikelifetime=86400s
  21.     esp=aes256-sha256-modp2048
  22.     lifetime=10800s
  23.     keyingtries=%forever
  24.     dpddelay=30s
  25.     dpdtimeout=120s
  26.     dpdaction=restart
  27.  
  28. conn Tunnel1
  29.     auto=start
  30.     left=10.1.1.2 # Our private IP address
  31.     leftsubnet=172.16.0.1/32 # Our S-NAT IP address
  32.     leftauth=psk
  33.     leftid=1.1.1.1 # Our Pubic/EIP address
  34.     right=2.2.2.2 # CheckPoint GW
  35.     rightsubnet=192.168.1.1/32 # Instance behind CheckPoint
  36.     rightauth=psk
  37.     rightid=2.2.2.2 # CheckPoint GW
  38.     type=tunnel
  39.     compress=no
  40.     mark=42
  41.      
  42. 1.1.1.1 2.2.2.2 : PSK "OURSECRET"
  43.      
  44. install_routes = no
  45. install_virtual_ip = no
  46.      
  47. Loaded: loaded (/lib/systemd/system/strongswan.service; disabled; vendor preset: enabled)
  48.    Active: active (running) since Tue 2019-07-23 10:20:22 EEST; 12s ago
  49.   Process: 2163 ExecStart=/usr/sbin/ipsec start (code=exited, status=0/SUCCESS)
  50.   Process: 2160 ExecStartPre=/bin/mkdir -p /var/lock/subsys (code=exited, status=0/SUCCESS)
  51.  Main PID: 2190 (starter)
  52.     Tasks: 18
  53.    Memory: 12.2M
  54.       CPU: 54ms
  55.    CGroup: /system.slice/strongswan.service
  56.            ├─2190 /usr/lib/ipsec/starter --daemon charon
  57.            └─2191 /usr/lib/ipsec/charon --use-syslog --debug-ike 2 --debug-knl 2 --debug-cfg 2
  58.      
  59. Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1087-aws, x86_64):
  60.   uptime: 79 seconds, since Jul 23 10:20:22 2019
  61.   malloc: sbrk 1646592, mmap 0, used 568016, free 1078576
  62.   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  63.   loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
  64. Listening IP addresses:
  65.   10.1.1.2
  66. Connections:
  67.      Tunnel1:  10.1.1.2...2.2.2.2  IKEv2, dpddelay=30s
  68.      Tunnel1:   local:  [1.1.1.1] uses pre-shared key authentication
  69.      Tunnel1:   remote: [2.2.2.2] uses pre-shared key authentication
  70.      Tunnel1:   child:  172.16.0.1/32 === 192.168.1.1/32 TUNNEL, dpdaction=restart
  71. Security Associations (1 up, 0 connecting):
  72.      Tunnel1[1]: ESTABLISHED 79 seconds ago, 10.1.1.2[1.1.1.1]...2.2.2.2[2.2.2.2]
  73.      Tunnel1[1]: IKEv2 SPIs: ##**REMOVED**##* ##**REMOVED**##, pre-shared key reauthentication in 23 hours
  74.      Tunnel1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  75.      Tunnel1{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c05ce72f_i 35f8fdaa_o
  76.      Tunnel1{1}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 2 hours
  77.      Tunnel1{1}:   172.16.0.1/32 === 192.168.1.1/32
  78.      
  79. src 192.168.1.1/32 dst 172.16.0.1/32 uid 0
  80.     dir fwd action allow index 82 priority 2819 share any flag  (0x00000000)
  81.     lifetime config:
  82.       limit: soft (INF)(bytes), hard (INF)(bytes)
  83.       limit: soft (INF)(packets), hard (INF)(packets)
  84.       expire add: soft 0(sec), hard 0(sec)
  85.       expire use: soft 0(sec), hard 0(sec)
  86.     lifetime current:
  87.       0(bytes), 0(packets)
  88.       add 2019-07-23 10:20:22 use -
  89.     mark 0x2a/0xffffffff
  90.     tmpl src 2.2.2.2 dst 10.1.1.2
  91.         proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
  92.         level required share any
  93.         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
  94. src 192.168.1.1/32 dst 172.16.0.1/32 uid 0
  95.     dir in action allow index 72 priority 2819 share any flag  (0x00000000)
  96.     lifetime config:
  97.       limit: soft (INF)(bytes), hard (INF)(bytes)
  98.       limit: soft (INF)(packets), hard (INF)(packets)
  99.       expire add: soft 0(sec), hard 0(sec)
  100.       expire use: soft 0(sec), hard 0(sec)
  101.     lifetime current:
  102.       0(bytes), 0(packets)
  103.       add 2019-07-23 10:20:22 use -
  104.     mark 0x2a/0xffffffff
  105.     tmpl src 2.2.2.2 dst 10.1.1.2
  106.         proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
  107.         level required share any
  108.         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
  109. src 172.16.0.1/32 dst 192.168.1.1/32 uid 0
  110.     dir out action allow index 65 priority 2819 share any flag  (0x00000000)
  111.     lifetime config:
  112.       limit: soft (INF)(bytes), hard (INF)(bytes)
  113.       limit: soft (INF)(packets), hard (INF)(packets)
  114.       expire add: soft 0(sec), hard 0(sec)
  115.       expire use: soft 0(sec), hard 0(sec)
  116.     lifetime current:
  117.       0(bytes), 0(packets)
  118.       add 2019-07-23 10:20:22 use -
  119.     mark 0x2a/0xffffffff
  120.     tmpl src 10.1.1.2 dst 2.2.2.2
  121.         proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
  122.         level required share any
  123.         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
  124.      
  125. src 10.1.1.2 dst 2.2.2.2
  126.     proto esp spi ##**REMOVED**##(##**REMOVED**##) reqid 1(0x00000001) mode tunnel
  127.     replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
  128.     mark 0x2a/0xffffffff
  129.     auth-trunc hmac(sha256) ##**REMOVED**## (256 bits) 128
  130.     enc cbc(aes) ##**REMOVED**## (256 bits)
  131.     encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
  132.     anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
  133.     lifetime config:
  134.       limit: soft (INF)(bytes), hard (INF)(bytes)
  135.       limit: soft (INF)(packets), hard (INF)(packets)
  136.       expire add: soft 9745(sec), hard 10800(sec)
  137.       expire use: soft 0(sec), hard 0(sec)
  138.     lifetime current:
  139.       0(bytes), 0(packets)
  140.       add 2019-07-23 10:20:22 use -
  141.     stats:
  142.       replay-window 0 replay 0 failed 0
  143. src 2.2.2.2 dst 10.1.1.2
  144.     proto esp spi ##**REMOVED**##(##**REMOVED**##) reqid 1(0x00000001) mode tunnel
  145.     replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
  146.     mark 0x2a/0xffffffff
  147.     auth-trunc hmac(sha256) ##**REMOVED**## (256 bits) 128
  148.     enc cbc(aes) ##**REMOVED**## (256 bits)
  149.     encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
  150.     anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
  151.     lifetime config:
  152.       limit: soft (INF)(bytes), hard (INF)(bytes)
  153.       limit: soft (INF)(packets), hard (INF)(packets)
  154.       expire add: soft 10057(sec), hard 10800(sec)
  155.       expire use: soft 0(sec), hard 0(sec)
  156.     lifetime current:
  157.       0(bytes), 0(packets)
  158.       add 2019-07-23 10:20:22 use -
  159.     stats:
  160.       replay-window 0 replay 0 failed 0
  161.      
  162. ping -c 3 -I 172.16.0.1 192.168.1.1
  163. PING 192.168.1.1 (192.168.1.1) from 172.16.0.1 Tunnel1: 56(84) bytes of data.
  164. From 172.16.0.1 icmp_seq=1 Destination Host Unreachable
  165. From 172.16.0.1 icmp_seq=2 Destination Host Unreachable
  166. From 172.16.0.1 icmp_seq=3 Destination Host Unreachable
  167.  
  168. --- 192.168.1.1 ping statistics ---
  169. 3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 1998ms
  170.      
  171. 3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1
  172.     link/ipip 0.0.0.0 brd 0.0.0.0
  173. 4: Tunnel1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1419 qdisc noqueue state UNKNOWN group default qlen 1
  174.     link/ipip 10.1.1.2 peer 2.2.2.2
  175.     inet 172.16.0.1 peer 192.168.1.1/32 scope global Tunnel1
  176.        valid_lft forever preferred_lft forever
  177.      
  178. 3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1
  179.     link/ipip 0.0.0.0 brd 0.0.0.0
  180.     RX: bytes  packets  errors  dropped overrun mcast
  181.     0          0        0       0       0       0
  182.     RX errors: length   crc     frame   fifo    missed
  183.                0        0       0       0       0
  184.     TX: bytes  packets  errors  dropped carrier collsns
  185.     0          0        0       0       0       0
  186.     TX errors: aborted  fifo   window heartbeat transns
  187.                0        0       0       0       0
  188. 4: Tunnel1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1419 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
  189.     link/ipip 10.1.1.2 peer 2.2.2.2
  190.     RX: bytes  packets  errors  dropped overrun mcast
  191.     0          0        0       0       0       0
  192.     RX errors: length   crc     frame   fifo    missed
  193.                0        0       0       0       0
  194.     TX: bytes  packets  errors  dropped carrier collsns
  195.     0          0        14      0       14      0
  196.     TX errors: aborted  fifo   window heartbeat transns
  197.                0        0       0       0       0
  198.      
  199. Tunnel1: ip/ip  remote 2.2.2.2  local 10.1.1.2  ttl inherit  key 42
  200. RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts
  201.     0          0            0      0        0        0
  202. TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs
  203.     0          0            14     0        14       0
  204.      
  205. Tunnel1   Link encap:IPIP Tunnel  HWaddr
  206.           inet addr:172.16.0.1  P-t-P:192.168.1.1  Mask:255.255.255.255
  207.           UP POINTOPOINT RUNNING NOARP  MTU:1419  Metric:1
  208.           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  209.           TX packets:0 errors:14 dropped:0 overruns:0 carrier:14
  210.           collisions:0 txqueuelen:1
  211.           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
  212. ip_vti0   Link encap:IPIP Tunnel  HWaddr
  213.           NOARP  MTU:1480  Metric:1
  214.           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  215.           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  216.           collisions:0 txqueuelen:1
  217.           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
  218.      
  219. 10:32:02.983136 IP 10.1.1.2.500 > 2.2.2.2.500: UDP, length 1084
  220. 10:32:03.035572 IP 2.2.2.2.500 > 10.1.1.2.500: UDP, length 708
  221. 10:32:03.044827 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 372
  222. 10:32:03.108335 IP 2.2.2.2.4500 > 10.1.1.2.4500: UDP, length 276
  223. 10:32:27.042735 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 1
  224. 10:32:33.110661 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 84
  225. 10:32:33.159623 IP 2.2.2.2.4500 > 10.1.1.2.4500: UDP, length 84
  226. 10:32:57.043342 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 1
  227. 10:33:03.110977 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 84
  228.      
  229. Linux strongSwan U5.3.5/K4.4.0-1087-aws
  230.      
  231. Distributor ID: Ubuntu
  232. Description:    Ubuntu 16.04.6 LTS
  233. Release:    16.04
  234. Codename:   xenial
  235.      
  236. ii  libcharon-extra-plugins          5.3.5-1ubuntu3.8                           amd64        strongSwan charon library (extra plugins)
  237. ii  libstrongswan                    5.3.5-1ubuntu3.8                           amd64        strongSwan utility and crypto library
  238. ii  libstrongswan-standard-plugins   5.3.5-1ubuntu3.8                           amd64        strongSwan utility and crypto library (standard plugins)
  239. ii  strongswan                       5.3.5-1ubuntu3.8                           all          IPsec VPN solution metapackage
  240. ii  strongswan-charon                5.3.5-1ubuntu3.8                           amd64        strongSwan Internet Key Exchange daemon
  241. ii  strongswan-libcharon             5.3.5-1ubuntu3.8                           amd64        strongSwan charon library
  242. ii  strongswan-starter               5.3.5-1ubuntu3.8                           amd64        strongSwan daemon starter and configuration file parser
  243. ii  strongswan-tnc-base              5.3.5-1ubuntu3.8                           amd64        strongSwan Trusted Network Connect's (TNC) - base files
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top