Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # ---------------------
- # tunnel establishment
- # ---------------------
- localhost:~# swanctl --initiate --child flex
- [IKE] initiating IKE_SA flex[4] to 172.16.63.63
- [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
- [NET] sending packet: from 172.16.63.65[500] to 172.16.63.63[500] (464 bytes)
- [NET] received packet: from 172.16.63.63[500] to 172.16.63.65[500] (551 bytes)
- [ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HTTP_CERT_LOOK) ]
- [IKE] received Cisco Delete Reason vendor ID
- [ENC] received unknown vendor ID: 43:49:53:43:4f:56:50:4e:2d:52:45:56:2d:30:32
- [ENC] received unknown vendor ID: 43:49:53:43:4f:2d:44:59:4e:41:4d:49:43:2d:52:4f:55:54:45
- [IKE] received Cisco FlexVPN Supported vendor ID
- [CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
- [IKE] cert payload ANY not supported - ignored
- [IKE] authentication of 'alpine65@sclab.space' (myself) with pre-shared key
- [IKE] establishing CHILD_SA flex{11}
- [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
- [NET] sending packet: from 172.16.63.65[4500] to 172.16.63.63[4500] (368 bytes)
- [NET] received packet: from 172.16.63.63[4500] to 172.16.63.65[4500] (352 bytes)
- [ENC] parsed IKE_AUTH response 1 [ V IDr AUTH CPRP(ADDR MASK) SA TSi TSr N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
- [IKE] authentication of 'hub.sclab.space' with pre-shared key successful
- [IKE] IKE_SA flex[4] established between 172.16.63.65[alpine65@sclab.space]...172.16.63.63[hub.sclab.space]
- [IKE] scheduling rekeying in 14215s
- [IKE] maximum IKE_SA lifetime 15655s
- [CFG] handling INTERNAL_IP4_NETMASK attribute failed
- [IKE] installing new virtual IP 172.30.0.16
- [IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
- [CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
- [IKE] CHILD_SA flex{11} established with SPIs cc66d523_i 2c4a5c03_o and TS 172.30.0.16/32 === 0.0.0.0/0
- initiate completed successfully
- # ---------------------
- # state after tunnel establishment
- # ---------------------
- localhost:~# swanctl -l
- flex: #4, ESTABLISHED, IKEv2, fd3e7133513eb4b3_i* 43431cc271adf05b_r
- local 'alpine65@sclab.space' @ 172.16.63.65[4500] [172.30.0.16]
- remote 'hub.sclab.space' @ 172.16.63.63[4500]
- AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
- established 15s ago, rekeying in 14200s
- flex: #11, reqid 6, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96
- installed 15s ago, rekeying in 3409s, expires in 3945s
- in cc66d523 (0x00000064), 0 bytes, 0 packets
- out 2c4a5c03 (0x00000064), 0 bytes, 0 packets
- local 172.30.0.16/32
- remote 0.0.0.0/0
- localhost:~#
- localhost:~# ip addr
- 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- inet 127.0.0.1/8 scope host lo
- valid_lft forever preferred_lft forever
- inet6 ::1/128 scope host
- valid_lft forever preferred_lft forever
- 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
- link/ether 00:50:56:16:63:41 brd ff:ff:ff:ff:ff:ff
- inet 172.16.63.65/24 scope global eth0
- valid_lft forever preferred_lft forever
- inet6 fe80::250:56ff:fe16:6341/64 scope link
- valid_lft forever preferred_lft forever
- 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
- link/ether 00:50:56:a9:93:bd brd ff:ff:ff:ff:ff:ff
- inet 10.216.1.2/30 scope global eth1
- valid_lft forever preferred_lft forever
- inet6 fe80::250:56ff:fea9:93bd/64 scope link
- valid_lft forever preferred_lft forever
- 4: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
- link/ipip 0.0.0.0 brd 0.0.0.0
- 37: ipsec0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000
- link/ipip 172.16.63.65 peer 172.16.63.63
- inet 172.30.0.16/32 scope global ipsec0
- valid_lft forever preferred_lft forever
- inet6 fe80::5efe:ac10:3f41/64 scope link
- valid_lft forever preferred_lft forever
- localhost:~# ip route
- default via 172.16.63.217 dev eth0 metric 202
- 10.216.1.0/30 dev eth1 proto kernel scope link src 10.216.1.2
- 172.16.59.0/24 via 10.216.1.1 dev eth1 proto bgp metric 20
- 172.16.63.0/24 dev eth0 proto kernel scope link src 172.16.63.65
- 172.30.0.254 dev ipsec0 scope link
- 172.31.0.255 via 172.16.63.63 dev eth0
- 192.168.0.0/16 via 172.30.0.254 dev ipsec0 proto bgp metric 20 onlink
- 192.168.77.0/24 dev ipsec0 scope link
- localhost:~# ip xfrm pol
- src 172.30.0.16/32 dst 0.0.0.0/0
- dir out priority 383615 ptype main
- mark 0x64/0xffffffff
- tmpl src 172.16.63.65 dst 172.16.63.63
- proto esp spi 0x2c4a5c03 reqid 6 mode tunnel
- src 0.0.0.0/0 dst 172.30.0.16/32
- dir fwd priority 383615 ptype main
- mark 0x64/0xffffffff
- tmpl src 172.16.63.63 dst 172.16.63.65
- proto esp reqid 6 mode tunnel
- src 0.0.0.0/0 dst 172.30.0.16/32
- dir in priority 383615 ptype main
- mark 0x64/0xffffffff
- tmpl src 172.16.63.63 dst 172.16.63.65
- proto esp reqid 6 mode tunnel
- src 0.0.0.0/0 dst 0.0.0.0/0
- socket in priority 0 ptype main
- src 0.0.0.0/0 dst 0.0.0.0/0
- socket out priority 0 ptype main
- src 0.0.0.0/0 dst 0.0.0.0/0
- socket in priority 0 ptype main
- src 0.0.0.0/0 dst 0.0.0.0/0
- socket out priority 0 ptype main
- src ::/0 dst ::/0
- socket in priority 0 ptype main
- src ::/0 dst ::/0
- socket out priority 0 ptype main
- src ::/0 dst ::/0
- socket in priority 0 ptype main
- src ::/0 dst ::/0
- socket out priority 0 ptype main
- localhost:~#
- localhost:~# ip -s tunnel
- ip_vti0: ip/ip remote any local any ttl inherit nopmtudisc key 0
- RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts
- 0 0 0 0 0 0
- TX: Packets Bytes Errors DeadLoop NoRoute NoBufs
- 0 0 0 0 0 0
- ipsec0: ip/ip remote 172.16.63.63 local 172.16.63.65 ttl inherit key 100
- RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts
- 31 1658 0 0 0 0
- TX: Packets Bytes Errors DeadLoop NoRoute NoBufs
- 33 1773 16 0 16 0
- localhost:~#
- localhost:~# iptables-save
- # Generated by iptables-save v1.8.3 on Fri Feb 14 14:26:05 2020
- *filter
- :INPUT ACCEPT [10383:863050]
- :FORWARD ACCEPT [27:2736]
- :OUTPUT ACCEPT [10859:2414723]
- COMMIT
- # Completed on Fri Feb 14 14:26:05 2020
- # Generated by iptables-save v1.8.3 on Fri Feb 14 14:26:05 2020
- *mangle
- :PREROUTING ACCEPT [10739:891924]
- :INPUT ACCEPT [10692:887468]
- :FORWARD ACCEPT [32:3236]
- :OUTPUT ACCEPT [11139:2455448]
- :POSTROUTING ACCEPT [12919:2547674]
- COMMIT
- # Completed on Fri Feb 14 14:26:05 2020
- # Generated by iptables-save v1.8.3 on Fri Feb 14 14:26:05 2020
- *nat
- :PREROUTING ACCEPT [0:0]
- :INPUT ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- :POSTROUTING ACCEPT [0:0]
- COMMIT
- # Completed on Fri Feb 14 14:26:05 2020
- # ---------------------
- # tests : ping tunnel end point OK, remote site OK, tunnel end point from another interface (eth1) KO
- # ---------------------
- localhost:~# ping 172.30.0.254 -Ac 10
- PING 172.30.0.254 (172.30.0.254): 56 data bytes
- 64 bytes from 172.30.0.254: seq=0 ttl=255 time=1.108 ms
- ...
- 64 bytes from 172.30.0.254: seq=9 ttl=255 time=0.568 ms
- --- 172.30.0.254 ping statistics ---
- 10 packets transmitted, 10 packets received, 0% packet loss
- round-trip min/avg/max = 0.493/0.637/1.108 ms
- localhost:~# ping 192.168.77.1 -Ac 10
- PING 192.168.77.1 (192.168.77.1): 56 data bytes
- 64 bytes from 192.168.77.1: seq=0 ttl=255 time=1.033 ms
- ...
- 64 bytes from 192.168.77.1: seq=9 ttl=255 time=0.527 ms
- --- 192.168.77.1 ping statistics ---
- 10 packets transmitted, 10 packets received, 0% packet loss
- round-trip min/avg/max = 0.506/0.665/1.033 ms
- localhost:~# ping -I 10.216.1.2 172.30.0.254 -Ac 10 -W 1
- PING 172.30.0.254 (172.30.0.254) from 10.216.1.2: 56 data bytes
- --- 172.30.0.254 ping statistics ---
- 10 packets transmitted, 0 packets received, 100% packet loss
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement