Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- EC2 instance - running CentOS7
- Public IP: A.B.C.D
- Private IP: E.F.G.H
- [toor@ip-E-F-G-H ~]# lsb_release -a
- LSB Version: :core-4.1-amd64:core-4.1-noarch
- Distributor ID: CentOS
- Description: CentOS Linux release 7.5.1804 (Core)
- Release: 7.5.1804
- Codename: Core
- [toor@ip-E-F-G-H ~]# ipsec version
- Linux Libreswan 3.23 (netkey) on 3.10.0-862.3.2.el7.x86_64
- [toor@ip-E-F-G-H ~]# ipsec version
- Verifying installed system and configuration files
- Version check and ipsec on-path [OK]
- Libreswan 3.23 (netkey) on 3.10.0-862.3.2.el7.x86_64
- Checking for IPsec support in kernel [OK]
- NETKEY: Testing XFRM related proc values
- ICMP default/send_redirects [OK]
- ICMP default/accept_redirects [OK]
- XFRM larval drop [OK]
- Pluto ipsec.conf syntax [OK]
- Two or more interfaces found, checking IP forwarding [OK]
- Checking rp_filter [OK]
- Checking that pluto is running [OK]
- Pluto listening for IKE on udp 500 [OK]
- Pluto listening for IKE/NAT-T on udp 4500 [OK]
- Pluto ipsec.secret syntax [OK]
- Checking 'ip' command [OK]
- Checking 'iptables' command [OK]
- Checking 'prelink' command does not interfere with FIPS [OK]
- Checking for obsolete ipsec.conf options [OK]
- config setup
- logfile=/var/log/pluto.log
- virtual_private=%v4:M.N.O.P/32,%v4:Q.R.S.T/32 #are encryption Domain of my peer
- protostack=netkey
- conn MyConnection
- authby=secret
- auto=start
- type=tunnel
- ## phase1 ##
- ike=aes256-sha1;modp2048
- keyexchange=ike
- ## phase2 ##
- phase2=esp
- phase2alg=aes256-sha1;modp2048
- compress=no
- pfs=yes
- left=%defaultroute
- leftid=A.B.C.D #MyPublic Ip on AWS EC2
- leftsourceip=E.F.G.H . #My private ip of my ec2 centos7 instance
- leftsubnet=E.F.G.H/32
- leftnexthop=%defaultroute
- ## MyPeer ##
- right=I.J.K.L #Public ip of the peer - cisco asa device
- rightsubnets={M.N.O.P/32,Q.R.S.T/32}
- ikelifetime=28800s
- salifetime=3600s
- aggrmode=no
- my ipsec.secrets
- A.B.C.D I.J.K.L: PSK "*&^%$3434"
- [toor@ip-E-F-G-H ~]# ipsec auto --status
- 000 "MyConnection/0x2": IKE algorithms: AES_CBC_256-HMAC_SHA1-MODP1536
- 000 "MyConnection/0x2": IKE algorithm newest: AES_CBC_256-HMAC_SHA1-MODP1536
- 000 "MyConnection/0x2": ESP algorithms: AES_CBC_256-HMAC_SHA1_96-MODP1536
- 000 "MyConnection/0x2": ESP algorithm newest: AES_CBC_256-HMAC_SHA1_96; pfsgroup=MODP1536
- 000
- 000 Total IPsec connections: loaded 2, active 2
- 000
- 000 State Information: DDoS cookies not required, Accepting new IKE connections
- 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
- 000 IPsec SAs: total(2), authenticated(2), anonymous(0)
- 000
- 000 #2: "MyConnection/0x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 734s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
- 000 #2: "MyConnection/0x1" esp.bd6f5d5@I.J.K.L esp.e6e75a6@A.B.C.D tun.0@I.J.K.L tun.0@A.B.C.D ref=0 refhim=0 Traffic: ESPin=0B ESPout=4KB! ESPmax=4194303B
- 000 #1: "MyConnection/0x2":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 25692s; newest ISAKMP; lastdpd=0s(seq in:0 out:0); idle; import:admin initiate
- 000 #3: "MyConnection/0x2":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 524s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
- 000 #3: "MyConnection/0x2" esp.be78561f@I.J.K.L esp.21e1d536@A.B.C.D tun.0@I.J.K.L tun.0@A.B.C.D ref=0 refhim=0 Traffic: ESPin=0B ESPout=1KB! ESPmax=4194303B
- 000
- 000 Bare Shunt list:
- 000
- [toor@ip-E-F-G-H ~]# route -n
- Kernel IP routing table
- Destination Gateway Genmask Flags Metric Ref Use Iface
- 0.0.0.0 E.F.0.1 0.0.0.0 UG 0 0 0 eth0
- M.N.O.P E.F.0.1 255.255.255.255 UGH 0 0 0 eth0
- Q.R.S.T E.F.0.1 255.255.255.255 UGH 0 0 0 eth0
- E.F.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
- [root@ip-E-F-G-H ~]#ping M.N.O.P
- no reply
- [root@ip-E-F-G-H ~]#ping Q.R.S.T
- no reply
- [root@ip-E-F-G-H ~]#iptables -L
- Chain INPUT (policy ACCEPT)
- target prot opt source destination
- ACCEPT udp -- anywhere anywhere udp dpt:isakmp
- ACCEPT tcp -- anywhere anywhere tcp dpt:ipsec-nat-t
- ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
- ACCEPT esp -- anywhere anywhere
- ACCEPT ah -- anywhere anywhere
- Chain FORWARD (policy ACCEPT)
- target prot opt source destination
- ACCEPT all -- anywhere anywhere
- ACCEPT all -- anywhere anywhere
- Chain OUTPUT (policy ACCEPT)
- target prot opt source destination
- [root@ip-E-F-G-H ~]#iptables -t nat -L -v -n
- Chain PREROUTING (policy ACCEPT 19 packets, 1024 bytes)
- pkts bytes target prot opt in out source destination
- Chain INPUT (policy ACCEPT 19 packets, 1024 bytes)
- pkts bytes target prot opt in out source destination
- Chain OUTPUT (policy ACCEPT 305 packets, 127K bytes)
- pkts bytes target prot opt in out source destination
- Chain POSTROUTING (policy ACCEPT 305 packets, 127K bytes)
- pkts bytes target prot opt in out source destination
- Type Protocol Port Range Source Description
- All traffic All All M.N.O.P/32
- All traffic All All Q.R.S.T/32
- SSH TCP 22 0.0.0.0/0
- Custom Protocol AH (51) All 0.0.0.0/0
- Custom Protocol ESP (50) All 0.0.0.0/0
- Custom UDP Rule UDP 4500 0.0.0.0/0
- Custom UDP Rule UDP 500 0.0.0.0/0
- All ICMP - IPv4 All N/A 0.0.0.0/0
- Type Protocol Port Range Source Description
- All traffic All All 0.0.0.0/0
- All traffic All All M.N.O.P/32
- All traffic All All Q.R.S.T/32
- Destination Target Status Propagated
- E.F.0.0/16 local Active No
- 0.0.0.0/0 igw-747d3673hsd Active No
- M.N.O.P/32 eni-0fec2be5-on-ec2 Active No
- Q.R.S.T/32 eni-0fec2be5-on-ec2 Active No
- Rule # Type Protocol Port Range Source Allow / Deny
- 100 ALL Traffic ALL ALL 0.0.0.0/0 ALLOW
- 200 ALL Traffic ALL ALL M.N.O.P/32 ALLOW
- 300 ALL Traffic ALL ALL Q.R.S.T/32 ALLOW
- * ALL Traffic ALL ALL 0.0.0.0/0 DENY
- Rule # Type Protocol Port Range Source Allow / Deny
- 100 ALL Traffic ALL ALL 0.0.0.0/0 ALLOW
- 200 ALL Traffic ALL ALL M.N.O.P/32 ALLOW
- 300 ALL Traffic ALL ALL Q.R.S.T/32 ALLOW
- * ALL Traffic ALL ALL 0.0.0.0/0 DENY
Add Comment
Please, Sign In to add comment