SHARE
TWEET

debug infos

PJO2 Feb 14th, 2020 104 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # ---------------------
  2. # tunnel establishment
  3. # ---------------------
  4. localhost:~#  swanctl --initiate --child flex
  5. [IKE] initiating IKE_SA flex[4] to 172.16.63.63
  6. [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
  7. [NET] sending packet: from 172.16.63.65[500] to 172.16.63.63[500] (464 bytes)
  8. [NET] received packet: from 172.16.63.63[500] to 172.16.63.65[500] (551 bytes)
  9. [ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HTTP_CERT_LOOK) ]
  10. [IKE] received Cisco Delete Reason vendor ID
  11. [ENC] received unknown vendor ID: 43:49:53:43:4f:56:50:4e:2d:52:45:56:2d:30:32
  12. [ENC] received unknown vendor ID: 43:49:53:43:4f:2d:44:59:4e:41:4d:49:43:2d:52:4f:55:54:45
  13. [IKE] received Cisco FlexVPN Supported vendor ID
  14. [CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
  15. [IKE] cert payload ANY not supported - ignored
  16. [IKE] authentication of 'alpine65@sclab.space' (myself) with pre-shared key
  17. [IKE] establishing CHILD_SA flex{11}
  18. [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
  19. [NET] sending packet: from 172.16.63.65[4500] to 172.16.63.63[4500] (368 bytes)
  20. [NET] received packet: from 172.16.63.63[4500] to 172.16.63.65[4500] (352 bytes)
  21. [ENC] parsed IKE_AUTH response 1 [ V IDr AUTH CPRP(ADDR MASK) SA TSi TSr N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
  22. [IKE] authentication of 'hub.sclab.space' with pre-shared key successful
  23. [IKE] IKE_SA flex[4] established between 172.16.63.65[alpine65@sclab.space]...172.16.63.63[hub.sclab.space]
  24. [IKE] scheduling rekeying in 14215s
  25. [IKE] maximum IKE_SA lifetime 15655s
  26. [CFG] handling INTERNAL_IP4_NETMASK attribute failed
  27. [IKE] installing new virtual IP 172.30.0.16
  28. [IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
  29. [CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
  30. [IKE] CHILD_SA flex{11} established with SPIs cc66d523_i 2c4a5c03_o and TS 172.30.0.16/32 === 0.0.0.0/0
  31. initiate completed successfully
  32.  
  33.  
  34. # ---------------------
  35. # state after tunnel establishment
  36. # ---------------------
  37. localhost:~# swanctl -l
  38. flex: #4, ESTABLISHED, IKEv2, fd3e7133513eb4b3_i* 43431cc271adf05b_r
  39.   local  'alpine65@sclab.space' @ 172.16.63.65[4500] [172.30.0.16]
  40.   remote 'hub.sclab.space' @ 172.16.63.63[4500]
  41.   AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
  42.   established 15s ago, rekeying in 14200s
  43.   flex: #11, reqid 6, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96
  44.     installed 15s ago, rekeying in 3409s, expires in 3945s
  45.     in  cc66d523 (0x00000064),      0 bytes,     0 packets
  46.     out 2c4a5c03 (0x00000064),      0 bytes,     0 packets
  47.     local  172.30.0.16/32
  48.     remote 0.0.0.0/0
  49. localhost:~#
  50.  
  51. localhost:~# ip addr
  52. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
  53.     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  54.     inet 127.0.0.1/8 scope host lo
  55.        valid_lft forever preferred_lft forever
  56.     inet6 ::1/128 scope host
  57.        valid_lft forever preferred_lft forever
  58. 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
  59.     link/ether 00:50:56:16:63:41 brd ff:ff:ff:ff:ff:ff
  60.     inet 172.16.63.65/24 scope global eth0
  61.        valid_lft forever preferred_lft forever
  62.     inet6 fe80::250:56ff:fe16:6341/64 scope link
  63.        valid_lft forever preferred_lft forever
  64. 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
  65.     link/ether 00:50:56:a9:93:bd brd ff:ff:ff:ff:ff:ff
  66.     inet 10.216.1.2/30 scope global eth1
  67.        valid_lft forever preferred_lft forever
  68.     inet6 fe80::250:56ff:fea9:93bd/64 scope link
  69.        valid_lft forever preferred_lft forever
  70. 4: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
  71.     link/ipip 0.0.0.0 brd 0.0.0.0
  72. 37: ipsec0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000
  73.     link/ipip 172.16.63.65 peer 172.16.63.63
  74.     inet 172.30.0.16/32 scope global ipsec0
  75.        valid_lft forever preferred_lft forever
  76.     inet6 fe80::5efe:ac10:3f41/64 scope link
  77.        valid_lft forever preferred_lft forever
  78.  
  79. localhost:~# ip route
  80. default via 172.16.63.217 dev eth0 metric 202
  81. 10.216.1.0/30 dev eth1 proto kernel scope link src 10.216.1.2
  82. 172.16.59.0/24 via 10.216.1.1 dev eth1 proto bgp metric 20
  83. 172.16.63.0/24 dev eth0 proto kernel scope link src 172.16.63.65
  84. 172.30.0.254 dev ipsec0 scope link
  85. 172.31.0.255 via 172.16.63.63 dev eth0
  86. 192.168.0.0/16 via 172.30.0.254 dev ipsec0 proto bgp metric 20 onlink
  87. 192.168.77.0/24 dev ipsec0 scope link
  88.  
  89.  
  90. localhost:~# ip xfrm pol
  91. src 172.30.0.16/32 dst 0.0.0.0/0
  92.         dir out priority 383615 ptype main
  93.         mark 0x64/0xffffffff
  94.         tmpl src 172.16.63.65 dst 172.16.63.63
  95.                 proto esp spi 0x2c4a5c03 reqid 6 mode tunnel
  96. src 0.0.0.0/0 dst 172.30.0.16/32
  97.         dir fwd priority 383615 ptype main
  98.         mark 0x64/0xffffffff
  99.         tmpl src 172.16.63.63 dst 172.16.63.65
  100.                 proto esp reqid 6 mode tunnel
  101. src 0.0.0.0/0 dst 172.30.0.16/32
  102.         dir in priority 383615 ptype main
  103.         mark 0x64/0xffffffff
  104.         tmpl src 172.16.63.63 dst 172.16.63.65
  105.                 proto esp reqid 6 mode tunnel
  106. src 0.0.0.0/0 dst 0.0.0.0/0
  107.         socket in priority 0 ptype main
  108. src 0.0.0.0/0 dst 0.0.0.0/0
  109.         socket out priority 0 ptype main
  110. src 0.0.0.0/0 dst 0.0.0.0/0
  111.         socket in priority 0 ptype main
  112. src 0.0.0.0/0 dst 0.0.0.0/0
  113.         socket out priority 0 ptype main
  114. src ::/0 dst ::/0
  115.         socket in priority 0 ptype main
  116. src ::/0 dst ::/0
  117.         socket out priority 0 ptype main
  118. src ::/0 dst ::/0
  119.         socket in priority 0 ptype main
  120. src ::/0 dst ::/0
  121.         socket out priority 0 ptype main
  122. localhost:~#
  123.  
  124.  
  125. localhost:~# ip -s tunnel
  126. ip_vti0: ip/ip remote any local any ttl inherit nopmtudisc key 0
  127. RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts
  128.     0          0            0      0        0        0
  129. TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs
  130.     0          0            0      0        0        0
  131. ipsec0: ip/ip remote 172.16.63.63 local 172.16.63.65 ttl inherit key 100
  132. RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts
  133.     31         1658         0      0        0        0
  134. TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs
  135.     33         1773         16     0        16       0
  136. localhost:~#
  137.  
  138.  
  139. localhost:~# iptables-save
  140. # Generated by iptables-save v1.8.3 on Fri Feb 14 14:26:05 2020
  141. *filter
  142. :INPUT ACCEPT [10383:863050]
  143. :FORWARD ACCEPT [27:2736]
  144. :OUTPUT ACCEPT [10859:2414723]
  145. COMMIT
  146. # Completed on Fri Feb 14 14:26:05 2020
  147. # Generated by iptables-save v1.8.3 on Fri Feb 14 14:26:05 2020
  148. *mangle
  149. :PREROUTING ACCEPT [10739:891924]
  150. :INPUT ACCEPT [10692:887468]
  151. :FORWARD ACCEPT [32:3236]
  152. :OUTPUT ACCEPT [11139:2455448]
  153. :POSTROUTING ACCEPT [12919:2547674]
  154. COMMIT
  155. # Completed on Fri Feb 14 14:26:05 2020
  156. # Generated by iptables-save v1.8.3 on Fri Feb 14 14:26:05 2020
  157. *nat
  158. :PREROUTING ACCEPT [0:0]
  159. :INPUT ACCEPT [0:0]
  160. :OUTPUT ACCEPT [0:0]
  161. :POSTROUTING ACCEPT [0:0]
  162. COMMIT
  163. # Completed on Fri Feb 14 14:26:05 2020
  164.  
  165.  
  166. # ---------------------
  167. # tests : ping tunnel end point OK, remote site OK, tunnel end point from another interface (eth1) KO
  168. # ---------------------
  169. localhost:~# ping 172.30.0.254 -Ac 10
  170. PING 172.30.0.254 (172.30.0.254): 56 data bytes
  171. 64 bytes from 172.30.0.254: seq=0 ttl=255 time=1.108 ms
  172. ...
  173. 64 bytes from 172.30.0.254: seq=9 ttl=255 time=0.568 ms
  174.  
  175. --- 172.30.0.254 ping statistics ---
  176. 10 packets transmitted, 10 packets received, 0% packet loss
  177. round-trip min/avg/max = 0.493/0.637/1.108 ms
  178.  
  179. localhost:~# ping 192.168.77.1 -Ac 10
  180. PING 192.168.77.1 (192.168.77.1): 56 data bytes
  181. 64 bytes from 192.168.77.1: seq=0 ttl=255 time=1.033 ms
  182. ...
  183. 64 bytes from 192.168.77.1: seq=9 ttl=255 time=0.527 ms
  184.  
  185. --- 192.168.77.1 ping statistics ---
  186. 10 packets transmitted, 10 packets received, 0% packet loss
  187. round-trip min/avg/max = 0.506/0.665/1.033 ms
  188.  
  189. localhost:~# ping -I 10.216.1.2 172.30.0.254 -Ac 10 -W 1
  190. PING 172.30.0.254 (172.30.0.254) from 10.216.1.2: 56 data bytes
  191. --- 172.30.0.254 ping statistics ---
  192. 10 packets transmitted, 0 packets received, 100% packet loss
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top