********************************************** * * * ipsec status * * * ********************************************** 000 "conn1": 192.168.202.0/24===192.168.202.102[192.168.255.129]...50.0.0.1[50.0.0.1]===40.0.0.0/24; erouted; eroute owner: #11 000 "conn1": newest ISAKMP SA: #1; newest IPsec SA: #11; 000 "conn2": 192.168.202.0/24===192.168.202.102[192.168.255.129]...50.0.0.1[50.0.0.1]===40.0.1.0/24; erouted; eroute owner: #10 000 "conn2": newest ISAKMP SA: #0; newest IPsec SA: #10; 000 000 #11: "conn1" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 81s; newest IPSEC; eroute owner 000 #11: "conn1" esp.dc003fe0@50.0.0.1 (0 bytes) esp.cb4c096a@192.168.202.102 (0 bytes); tunnel 000 #1: "conn1" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 82201s; newest ISAKMP 000 #10: "conn2" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 53s; newest IPSEC; eroute owner 000 #10: "conn2" esp.471b6c97@50.0.0.1 (0 bytes) esp.cc87e23e@192.168.202.102 (0 bytes); tunnel 000 Security Associations (3 up, 0 connecting): conn3[1]: ESTABLISHED 20 minutes ago, 192.168.202.102[192.168.255.129]...50.0.1.1[C=DE, O=NokiaSiemensNetworks, CN=FlexiTRSIntegration_IPSecGW] conn3{1}: INSTALLED, TUNNEL, ESP SPIs: c415166a_i cc0bd209_o conn3{1}: 192.168.202.0/24 === 40.0.2.0/24 conn12{9}: INSTALLED, TUNNEL, ESP SPIs: cdd1e3dd_i ca9f9b68_o conn12{9}: 172.1.17.131/32 === 172.1.17.171/32 conn4{2}: INSTALLED, TUNNEL, ESP SPIs: cdaaea7d_i c0c4c3d9_o conn4{2}: 192.168.202.0/24 === 40.0.3.0/24 conn5[2]: ESTABLISHED 19 minutes ago, 50.0.11.2[192.168.255.129]...50.0.11.1[C=DE, O=NokiaSiemensNetworks, CN=FlexiTRSIntegration_IPSecGW] conn5{3}: INSTALLED, TUNNEL, ESP SPIs: cad16a5b_i cce7f200_o conn5{3}: 192.168.202.0/24 === 40.0.4.0/24 conn7{6}: INSTALLED, TUNNEL, ESP SPIs: cf1507bd_i caabf605_o conn7{6}: 192.168.202.0/24 === 40.0.6.0/24 conn6{5}: INSTALLED, TUNNEL, ESP SPIs: c3430e59_i cee3c29a_o conn6{5}: 192.168.202.0/24 === 40.0.5.0/24 conn8[3]: ESTABLISHED 19 minutes ago, 50.0.13.2[192.168.255.129]...50.0.13.1[C=DE, O=NokiaSiemensNetworks, CN=FlexiTRSIntegration_IPSecGW] conn11{9}: INSTALLED, TUNNEL, ESP SPIs: cedee951_i c2612a16_o conn11{9}: 14.1.2.0/24 === 40.0.10.0/24 conn10{8}: INSTALLED, TUNNEL, ESP SPIs: c10d51cb_i cb1340e7_o conn10{8}: 192.168.202.0/24 === 40.0.9.0/24 conn8{4}: INSTALLED, TUNNEL, ESP SPIs: cb170eab_i cfa973c2_o conn8{4}: 192.168.202.0/24 === 40.0.7.0/24 conn9{7}: INSTALLED, TUNNEL, ESP SPIs: c335054c_i c5fb953a_o conn9{7}: 192.168.202.0/24 === 40.0.8.0/24 ********************************************** * * * ipsec statusall * * * ********************************************** 000 Status of IKEv1 pluto daemon (strongSwan 4.5.3): 000 interface lo/lo 127.0.0.1:4500 000 interface lo/lo 127.0.0.1:500 000 interface lo:1/lo:1 172.1.17.131:4500 000 interface lo:1/lo:1 172.1.17.131:500 000 interface eth1/eth1 10.29.8.40:4500 000 interface eth1/eth1 10.29.8.40:500 000 interface eth1:1/eth1:1 192.168.255.129:4500 000 interface eth1:1/eth1:1 192.168.255.129:500 000 interface rio0/rio0 192.168.253.16:4500 000 interface rio0/rio0 192.168.253.16:500 000 interface eth3/eth3 192.168.202.102:4500 000 interface eth3/eth3 192.168.202.102:500 000 interface eth5.48/eth5.48 192.168.255.54:4500 000 interface eth5.48/eth5.48 192.168.255.54:500 000 interface eth3.2007/eth3.2007 50.0.13.2:4500 000 interface eth3.2007/eth3.2007 50.0.13.2:500 000 interface eth3.2006/eth3.2006 50.0.11.2:4500 000 interface eth3.2006/eth3.2006 50.0.11.2:500 000 interface eth5.32:5/eth5.32:5 14.1.2.1:4500 000 interface eth5.32:5/eth5.32:5 14.1.2.1:500 000 %myid = '%any' 000 loaded plugins: curl aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac cra xauth attr kernel-netlink resolve 000 debug options: none 000 000 "conn1": 192.168.202.0/24===192.168.202.102[192.168.255.129]...50.0.0.1[50.0.0.1]===40.0.0.0/24; erouted; eroute owner: #11 000 "conn1": CAs: "C=DE, O=NokiaSiemensNetworks, CN=FlexiTRSIntegrationCA"...%any 000 "conn1": ike_life: 83668s; ipsec_life: 450s; rekey_margin: 180s; rekey_fuzz: 50%; keyingtries: 0 000 "conn1": dpd_action: restart; dpd_delay: 10s; dpd_timeout: 120s; 000 "conn1": policy: PUBKEY+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: eth3; 000 "conn1": newest ISAKMP SA: #1; newest IPsec SA: #11; 000 "conn1": IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1024 000 "conn1": ESP proposal: AES_CBC_128/HMAC_SHA1/ 000 "conn2": 192.168.202.0/24===192.168.202.102[192.168.255.129]...50.0.0.1[50.0.0.1]===40.0.1.0/24; erouted; eroute owner: #10 000 "conn2": CAs: "C=DE, O=NokiaSiemensNetworks, CN=FlexiTRSIntegrationCA"...%any 000 "conn2": ike_life: 83668s; ipsec_life: 450s; rekey_margin: 180s; rekey_fuzz: 50%; keyingtries: 0 000 "conn2": dpd_action: restart; dpd_delay: 10s; dpd_timeout: 120s; 000 "conn2": policy: PUBKEY+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: eth3; 000 "conn2": newest ISAKMP SA: #0; newest IPsec SA: #10; 000 "conn2": ESP proposal: AES_CBC_128/HMAC_SHA1/ 000 000 #11: "conn1" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 76s; newest IPSEC; eroute owner 000 #11: "conn1" esp.dc003fe0@50.0.0.1 (0 bytes) esp.cb4c096a@192.168.202.102 (0 bytes); tunnel 000 #1: "conn1" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 82196s; newest ISAKMP; DPD active 000 #10: "conn2" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 48s; newest IPSEC; eroute owner 000 #10: "conn2" esp.471b6c97@50.0.0.1 (0 bytes) esp.cc87e23e@192.168.202.102 (0 bytes); tunnel 000 Status of IKEv2 charon daemon (strongSwan 4.5.3): uptime: 20 minutes, since Apr 23 07:30:04 2013 malloc: sbrk 405504, mmap 0, used 311616, free 93888 worker threads: 9 of 16 idle, 6/1/0/0 working, job queue: 0/0/0/0, scheduled: 13 loaded plugins: curl aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp xcbc hmac cra attr kernel-netlink resolve socket-raw stroke updown Listening IP addresses: 10.29.8.40 192.168.255.129 192.168.253.16 192.168.202.102 192.168.255.54 50.0.13.2 50.0.11.2 14.1.2.1 192.168.255.129 Connections: conn3: 192.168.202.102...50.0.1.1, dpddelay=10s conn3: local: [192.168.255.129] uses public key authentication conn3: cert: "C=DE, O=NokiaSiemensNetworks, CN=FlexiTRSIntegration_FTM" conn3: remote: [%any] uses any authentication conn3: child: 192.168.202.0/24 === 40.0.2.0/24 TUNNEL, dpdaction=restart conn4: child: 192.168.202.0/24 === 40.0.3.0/24 TUNNEL, dpdaction=restart conn12: child: 172.1.17.0/24 === 172.1.17.0/24 TUNNEL, dpdaction=restart conn5: 50.0.11.2...50.0.11.1, dpddelay=10s conn5: local: [192.168.255.129] uses public key authentication conn5: cert: "C=DE, O=NokiaSiemensNetworks, CN=FlexiTRSIntegration_FTM" conn5: remote: [%any] uses any authentication conn5: child: 192.168.202.0/24 === 40.0.4.0/24 TUNNEL, dpdaction=restart conn6: child: 192.168.202.0/24 === 40.0.5.0/24 TUNNEL, dpdaction=restart conn7: child: 192.168.202.0/24 === 40.0.6.0/24 TUNNEL, dpdaction=restart conn8: 50.0.13.2...50.0.13.1, dpddelay=10s conn8: local: [192.168.255.129] uses public key authentication conn8: cert: "C=DE, O=NokiaSiemensNetworks, CN=FlexiTRSIntegration_FTM" conn8: remote: [%any] uses any authentication conn8: child: 192.168.202.0/24 === 40.0.7.0/24 TUNNEL, dpdaction=restart conn9: child: 192.168.202.0/24 === 40.0.8.0/24 TUNNEL, dpdaction=restart conn10: child: 192.168.202.0/24 === 40.0.9.0/24 TUNNEL, dpdaction=restart conn11: child: 14.1.2.0/24 === 40.0.10.0/24 TUNNEL, dpdaction=restart Security Associations (3 up, 0 connecting): conn3[1]: ESTABLISHED 20 minutes ago, 192.168.202.102[192.168.255.129]...50.0.1.1[C=DE, O=NokiaSiemensNetworks, CN=FlexiTRSIntegration_IPSecGW] conn3[1]: IKE SPIs: c68e8b6167f5688b_i* 687442e2087018d5_r, rekeying in 22 hours, public key reauthentication in 23 hours conn3[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 conn3{1}: INSTALLED, TUNNEL, ESP SPIs: c415166a_i cc0bd209_o conn3{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 74 seconds conn3{1}: 192.168.202.0/24 === 40.0.2.0/24 conn12{9}: INSTALLED, TUNNEL, ESP SPIs: cdd1e3dd_i ca9f9b68_o conn12{9}: AES_CBC_128/HMAC_SHA1_96, 152 bytes_i (42s ago), 152 bytes_o (42s ago), rekeying in 118 seconds conn12{9}: 172.1.17.131/32 === 172.1.17.171/32 conn4{2}: INSTALLED, TUNNEL, ESP SPIs: cdaaea7d_i c0c4c3d9_o conn4{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 3 minutes conn4{2}: 192.168.202.0/24 === 40.0.3.0/24 conn5[2]: ESTABLISHED 19 minutes ago, 50.0.11.2[192.168.255.129]...50.0.11.1[C=DE, O=NokiaSiemensNetworks, CN=FlexiTRSIntegration_IPSecGW] conn5[2]: IKE SPIs: ab3ac182998ff94c_i* 7b4406f0cd14eb95_r, rekeying in 22 hours, public key reauthentication in 23 hours conn5[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 conn5{3}: INSTALLED, TUNNEL, ESP SPIs: cad16a5b_i cce7f200_o conn5{3}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 31 seconds conn5{3}: 192.168.202.0/24 === 40.0.4.0/24 conn7{6}: INSTALLED, TUNNEL, ESP SPIs: cf1507bd_i caabf605_o conn7{6}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 8 seconds conn7{6}: 192.168.202.0/24 === 40.0.6.0/24 conn6{5}: INSTALLED, TUNNEL, ESP SPIs: c3430e59_i cee3c29a_o conn6{5}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 55 seconds conn6{5}: 192.168.202.0/24 === 40.0.5.0/24 conn8[3]: ESTABLISHED 19 minutes ago, 50.0.13.2[192.168.255.129]...50.0.13.1[C=DE, O=NokiaSiemensNetworks, CN=FlexiTRSIntegration_IPSecGW] conn8[3]: IKE SPIs: aac3b1fe38dcc0d6_i* e7e35f11f5f4d08d_r, rekeying in 22 hours, public key reauthentication in 23 hours conn8[3]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 conn11{9}: INSTALLED, TUNNEL, ESP SPIs: cedee951_i c2612a16_o conn11{9}: AES_CBC_128/HMAC_SHA1_96, 10795592 bytes_i (757s ago), 0 bytes_o, rekeying active conn11{9}: 14.1.2.0/24 === 40.0.10.0/24 conn10{8}: INSTALLED, TUNNEL, ESP SPIs: c10d51cb_i cb1340e7_o conn10{8}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 54 seconds conn10{8}: 192.168.202.0/24 === 40.0.9.0/24 conn8{4}: INSTALLED, TUNNEL, ESP SPIs: cb170eab_i cfa973c2_o conn8{4}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 76 seconds conn8{4}: 192.168.202.0/24 === 40.0.7.0/24 conn9{7}: INSTALLED, TUNNEL, ESP SPIs: c335054c_i c5fb953a_o conn9{7}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 32 seconds conn9{7}: 192.168.202.0/24 === 40.0.8.0/24 ********************************************** * * * ip xfrm state * * * ********************************************** src 192.168.202.102 dst 50.0.1.1 proto esp spi 0xc0c4c3d9 reqid 2 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0xf05ef6c71582f6e892299c935ac70892e9acfd8d enc cbc(aes) 0x4455cdf197ab7ef5868702a5e0591dc8 src 50.0.1.1 dst 192.168.202.102 proto esp spi 0xcdaaea7d reqid 2 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0xbdc6e936dc39e57e97553991577bfb9526401564 enc cbc(aes) 0xd5af43fceea9926c19444fed256f6206 sel src 40.0.3.0/24 dst 192.168.202.0/24 src 192.168.202.102 dst 50.0.0.1 proto esp spi 0xdc003fe0 reqid 16384 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0x6b6725ec96c5d323658f0f792e3ec391d1d008ff enc cbc(aes) 0x5b83a6473668e960b7309f41073e7640 src 50.0.0.1 dst 192.168.202.102 proto esp spi 0xcb4c096a reqid 16384 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0xeaefc49f9125a211d58f2b1a90b1704fbd4bf6f0 enc cbc(aes) 0x1e84776857bc14be743cdc4b8164a954 src 192.168.202.102 dst 50.0.0.1 proto esp spi 0x471b6c97 reqid 16388 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0xa2cda682379ca01d76f26a10c418f179fd6b39d3 enc cbc(aes) 0x0de11fca62cf7fc5ac5566420c1d282d src 50.0.0.1 dst 192.168.202.102 proto esp spi 0xcc87e23e reqid 16388 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0xd5df6945a9027b08273048a4b5dde3c1fa140418 enc cbc(aes) 0x5cddf584704dd1b740c6be35fd86d5a4 src 50.0.11.2 dst 50.0.11.1 proto esp spi 0xcee3c29a reqid 5 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0x8a755dad147b0cb16ae249a14b9fd2408a8e9add enc cbc(aes) 0x9c362d02fb3d947ad7a62c95bde5a6f8 src 50.0.11.1 dst 50.0.11.2 proto esp spi 0xc3430e59 reqid 5 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0x6a4597acabb27e13fa7cde112443fe785f343f12 enc cbc(aes) 0xcce500ce2b6563587aadaed2ead084b0 sel src 40.0.5.0/24 dst 192.168.202.0/24 src 192.168.202.102 dst 50.0.1.1 proto esp spi 0xca9f9b68 reqid 9 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0x3039e224c02a2310c1584f5bc671bd9a5272b5d9 enc cbc(aes) 0x48661907c31b78390e05f6934449cbb5 src 50.0.1.1 dst 192.168.202.102 proto esp spi 0xcdd1e3dd reqid 9 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0xd2d1eae7088095bf9c53c7e31aeb54741c07fa60 enc cbc(aes) 0xd65cd564c12093761a23ea870042aeba sel src 172.1.17.171/32 dst 172.1.17.131/32 src 192.168.202.102 dst 50.0.1.1 proto esp spi 0xcc0bd209 reqid 1 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0x2ff4e4ff00fe9f4ddf2c4c016f8ccef22942c6d2 enc cbc(aes) 0x26cd9f81021e9e482a3d92f84bd5065c src 50.0.1.1 dst 192.168.202.102 proto esp spi 0xc415166a reqid 1 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0x0eebba88f7ffd82c3107faac25e664aadb40c434 enc cbc(aes) 0x70c7b46823d07580f143b48e83d8cdf0 sel src 40.0.2.0/24 dst 192.168.202.0/24 src 50.0.13.2 dst 50.0.13.1 proto esp spi 0xc5fb953a reqid 7 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0xcd7175a8e0c7b9b1c45b43b5a1c91fe8cae281ca enc cbc(aes) 0x57939d8ea1116ac8a01c3d3ade0c2a9c src 50.0.13.1 dst 50.0.13.2 proto esp spi 0xc335054c reqid 7 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0xc9a823f39f8af48097785548b547b3d1d2cccf7c enc cbc(aes) 0x3e0a5bb5368dcb4f331852f12d868388 sel src 40.0.8.0/24 dst 192.168.202.0/24 src 50.0.13.2 dst 50.0.13.1 proto esp spi 0xcfa973c2 reqid 4 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0x7784620591fa2093470d33fe7b9f80261175aacf enc cbc(aes) 0xd046f5aa5e9f696836131c7104ad4993 src 50.0.13.1 dst 50.0.13.2 proto esp spi 0xcb170eab reqid 4 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0x07fc86ca53a7541ee8debec8b8c20e3c07379752 enc cbc(aes) 0x97bf1e4c158d427f8aacadf7d7edcc95 sel src 40.0.7.0/24 dst 192.168.202.0/24 src 50.0.11.2 dst 50.0.11.1 proto esp spi 0xcaabf605 reqid 6 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0xc59165b618e73474c8a664608ae105870e85d7c4 enc cbc(aes) 0xb381d199591b923655d9c7e4e85d716a src 50.0.11.1 dst 50.0.11.2 proto esp spi 0xcf1507bd reqid 6 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0xce554a0185d4b6515f5e4c58deec378c9bfa3c5a enc cbc(aes) 0x06bc11476a2a865fcb26709cb6d6b3b2 sel src 40.0.6.0/24 dst 192.168.202.0/24 src 50.0.13.2 dst 50.0.13.1 proto esp spi 0xcb1340e7 reqid 8 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0x7e297e16c00db41ef1c8a91990752c6115e17601 enc cbc(aes) 0x6fae7fe4c291726ac1e1fea90824639c src 50.0.13.1 dst 50.0.13.2 proto esp spi 0xc10d51cb reqid 8 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0xcb41be904f2830715bffb88c615e6fe55f996ce6 enc cbc(aes) 0x6d0d929a2f5bcf6f51a358ffdf65532f sel src 40.0.9.0/24 dst 192.168.202.0/24 src 50.0.11.2 dst 50.0.11.1 proto esp spi 0xcce7f200 reqid 3 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0xfa62250dbd2ccd5149068c7274558ab24ae2280d enc cbc(aes) 0xdaeb61f31885ad83a7bdc9d2a5553bf1 src 50.0.11.1 dst 50.0.11.2 proto esp spi 0xcad16a5b reqid 3 mode tunnel replay-window 0 flag 20 auth hmac(sha1) 0x7935d0b8b2ee4d6ddb69b828f2d0dda9a2453fd5 enc cbc(aes) 0x3c47f60d8549f513dafc969e8705478d sel src 40.0.4.0/24 dst 192.168.202.0/24 ********************************************** * * * ip xfrm policy * * * ********************************************** src 40.0.3.0/24 dst 192.168.202.0/24 dir fwd priority 4 tmpl src 50.0.1.1 dst 192.168.202.102 proto esp reqid 2 mode tunnel src 40.0.3.0/24 dst 192.168.202.0/24 dir in priority 4 tmpl src 50.0.1.1 dst 192.168.202.102 proto esp reqid 2 mode tunnel src 192.168.202.0/24 dst 40.0.3.0/24 dir out priority 4 tmpl src 192.168.202.102 dst 50.0.1.1 proto esp reqid 2 mode tunnel src 192.168.202.0/24 dst 40.0.0.0/24 dir out priority 1 tmpl src 192.168.202.102 dst 50.0.0.1 proto esp reqid 16384 mode tunnel src 40.0.0.0/24 dst 192.168.202.0/24 dir fwd priority 1 tmpl src 50.0.0.1 dst 192.168.202.102 proto esp reqid 16384 mode tunnel src 40.0.0.0/24 dst 192.168.202.0/24 dir in priority 1 tmpl src 50.0.0.1 dst 192.168.202.102 proto esp reqid 16384 mode tunnel src 192.168.202.0/24 dst 40.0.1.0/24 dir out priority 2 tmpl src 192.168.202.102 dst 50.0.0.1 proto esp reqid 16388 mode tunnel src 40.0.1.0/24 dst 192.168.202.0/24 dir fwd priority 2 tmpl src 50.0.0.1 dst 192.168.202.102 proto esp reqid 16388 mode tunnel src 40.0.1.0/24 dst 192.168.202.0/24 dir in priority 2 tmpl src 50.0.0.1 dst 192.168.202.102 proto esp reqid 16388 mode tunnel src 40.0.5.0/24 dst 192.168.202.0/24 dir fwd priority 6 tmpl src 50.0.11.1 dst 50.0.11.2 proto esp reqid 5 mode tunnel src 40.0.5.0/24 dst 192.168.202.0/24 dir in priority 6 tmpl src 50.0.11.1 dst 50.0.11.2 proto esp reqid 5 mode tunnel src 192.168.202.0/24 dst 40.0.5.0/24 dir out priority 6 tmpl src 50.0.11.2 dst 50.0.11.1 proto esp reqid 5 mode tunnel src 172.1.17.171/32 dst 172.1.17.131/32 dir fwd priority 12 tmpl src 50.0.1.1 dst 192.168.202.102 proto esp reqid 9 mode tunnel src 172.1.17.171/32 dst 172.1.17.131/32 dir in priority 12 tmpl src 50.0.1.1 dst 192.168.202.102 proto esp reqid 9 mode tunnel src 172.1.17.131/32 dst 172.1.17.171/32 dir out priority 12 tmpl src 192.168.202.102 dst 50.0.1.1 proto esp reqid 9 mode tunnel src 40.0.2.0/24 dst 192.168.202.0/24 dir fwd priority 3 tmpl src 50.0.1.1 dst 192.168.202.102 proto esp reqid 1 mode tunnel src 40.0.2.0/24 dst 192.168.202.0/24 dir in priority 3 tmpl src 50.0.1.1 dst 192.168.202.102 proto esp reqid 1 mode tunnel src 192.168.202.0/24 dst 40.0.2.0/24 dir out priority 3 tmpl src 192.168.202.102 dst 50.0.1.1 proto esp reqid 1 mode tunnel src 40.0.8.0/24 dst 192.168.202.0/24 dir fwd priority 9 tmpl src 50.0.13.1 dst 50.0.13.2 proto esp reqid 7 mode tunnel src 40.0.8.0/24 dst 192.168.202.0/24 dir in priority 9 tmpl src 50.0.13.1 dst 50.0.13.2 proto esp reqid 7 mode tunnel src 192.168.202.0/24 dst 40.0.8.0/24 dir out priority 9 tmpl src 50.0.13.2 dst 50.0.13.1 proto esp reqid 7 mode tunnel src 40.0.7.0/24 dst 192.168.202.0/24 dir fwd priority 8 tmpl src 50.0.13.1 dst 50.0.13.2 proto esp reqid 4 mode tunnel src 40.0.7.0/24 dst 192.168.202.0/24 dir in priority 8 tmpl src 50.0.13.1 dst 50.0.13.2 proto esp reqid 4 mode tunnel src 192.168.202.0/24 dst 40.0.7.0/24 dir out priority 8 tmpl src 50.0.13.2 dst 50.0.13.1 proto esp reqid 4 mode tunnel src 40.0.6.0/24 dst 192.168.202.0/24 dir fwd priority 7 tmpl src 50.0.11.1 dst 50.0.11.2 proto esp reqid 6 mode tunnel src 40.0.6.0/24 dst 192.168.202.0/24 dir in priority 7 tmpl src 50.0.11.1 dst 50.0.11.2 proto esp reqid 6 mode tunnel src 192.168.202.0/24 dst 40.0.6.0/24 dir out priority 7 tmpl src 50.0.11.2 dst 50.0.11.1 proto esp reqid 6 mode tunnel src 40.0.9.0/24 dst 192.168.202.0/24 dir fwd priority 10 tmpl src 50.0.13.1 dst 50.0.13.2 proto esp reqid 8 mode tunnel src 40.0.9.0/24 dst 192.168.202.0/24 dir in priority 10 tmpl src 50.0.13.1 dst 50.0.13.2 proto esp reqid 8 mode tunnel src 192.168.202.0/24 dst 40.0.9.0/24 dir out priority 10 tmpl src 50.0.13.2 dst 50.0.13.1 proto esp reqid 8 mode tunnel src 40.0.4.0/24 dst 192.168.202.0/24 dir fwd priority 5 tmpl src 50.0.11.1 dst 50.0.11.2 proto esp reqid 3 mode tunnel src 40.0.4.0/24 dst 192.168.202.0/24 dir in priority 5 tmpl src 50.0.11.1 dst 50.0.11.2 proto esp reqid 3 mode tunnel src 192.168.202.0/24 dst 40.0.4.0/24 dir out priority 5 tmpl src 50.0.11.2 dst 50.0.11.1 proto esp reqid 3 mode tunnel src 40.0.10.0/24 dst 14.1.2.0/24 dir fwd priority 11 tmpl src 50.0.13.1 dst 50.0.13.2 proto esp reqid 9 mode tunnel src 40.0.10.0/24 dst 14.1.2.0/24 dir in priority 11 tmpl src 50.0.13.1 dst 50.0.13.2 proto esp reqid 9 mode tunnel src 14.1.2.0/24 dst 40.0.10.0/24 dir out priority 11 tmpl src 50.0.13.2 dst 50.0.13.1 proto esp reqid 9 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src ::/0 dst ::/0 dir 3 priority 0 src ::/0 dst ::/0 dir 4 priority 0 src ::/0 dst ::/0 dir 3 priority 0 src ::/0 dst ::/0 dir 4 priority 0 src ::/0 dst ::/0 dir 3 priority 0 src ::/0 dst ::/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 14.1.2.1/24 dst 0.0.0.0/0 dir fwd priority 0 src 0.0.0.0/0 dst 14.1.2.1/24 dir out priority 0 src 10.29.8.40/32 dst 0.0.0.0/0 dir out priority 0 src 192.168.254.0/23 dst 192.168.254.0/23 dir out priority 0 src 192.168.254.0/23 dst 192.168.254.0/23 dir in priority 0 src 192.168.253.0/24 dst 192.168.253.0/24 dir out priority 0 src 192.168.253.0/24 dst 192.168.253.0/24 dir in priority 0 src 192.168.255.0/24 dst 192.168.255.0/24 dir out priority 0 src 192.168.255.0/24 dst 192.168.255.0/24 dir in priority 0 ********************************************** * * * /etc/ipsec.secrets * * * ********************************************** # /etc/ipsec.secrets - strongSwan IPsec secrets file : RSA "privkey.crk" ********************************************** * * * /etc/ipsec.conf * * * ********************************************** config setup plutostart=yes plutodebug=none nat_traversal=yes uniqueids=no charonstart=yes charondebug="dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0, enc -1, lib -1" ca rootca0 cacert=rootCaCert_0.pem conn %default leftcert=/etc/ipsec.d/certs/btsCert.pem auto=start pfs=no keyingtries=%forever mobike=no conn conn1 type=tunnel leftsubnet=192.168.202.102/24 rightsubnet=40.0.0.0/24 left=192.168.202.102 right=50.0.0.1 keyexchange=ikev1 ike=aes128-sha1-modp1024,3des-sha1-modp1024! ikelifetime=83668s esp=aes128-sha1,3des-sha1! authby=pubkey rightid=%any leftid="192.168.255.129" keylife=450s dpdaction=restart dpddelay=10 dpdtimeout=120 rekeyfuzz=50% rekeymargin=180s conn conn2 type=tunnel leftsubnet=192.168.202.102/24 rightsubnet=40.0.1.0/24 left=192.168.202.102 right=50.0.0.1 keyexchange=ikev1 ike=aes128-sha1-modp1024,3des-sha1-modp1024! ikelifetime=83668s esp=aes128-sha1,3des-sha1! authby=pubkey rightid=%any leftid="192.168.255.129" keylife=450s dpdaction=restart dpddelay=10 dpdtimeout=120 rekeyfuzz=50% rekeymargin=180s conn conn3 type=tunnel leftsubnet=192.168.202.102/24 rightsubnet=40.0.2.0/24 left=192.168.202.102 right=50.0.1.1 keyexchange=ikev2 reauth=no ike=aes128-sha1-modp1024,3des-sha1-modp1024! ikelifetime=83668s esp=aes128-sha1,3des-sha1! authby=pubkey rightid=%any leftid="192.168.255.129" keylife=450s dpdaction=restart dpddelay=10 dpdtimeout=120 rekeyfuzz=50% rekeymargin=180s conn conn4 type=tunnel leftsubnet=192.168.202.102/24 rightsubnet=40.0.3.0/24 left=192.168.202.102 right=50.0.1.1 keyexchange=ikev2 reauth=no ike=aes128-sha1-modp1024,3des-sha1-modp1024! ikelifetime=83668s esp=aes128-sha1,3des-sha1! authby=pubkey rightid=%any leftid="192.168.255.129" keylife=450s dpdaction=restart dpddelay=10 dpdtimeout=120 rekeyfuzz=50% rekeymargin=180s conn conn5 type=tunnel leftsubnet=192.168.202.102/24 rightsubnet=40.0.4.0/24 left=50.0.11.2 right=50.0.11.1 keyexchange=ikev2 reauth=no ike=aes128-sha1-modp1024,3des-sha1-modp1024! ikelifetime=83668s esp=aes128-sha1,3des-sha1! authby=pubkey rightid=%any leftid="192.168.255.129" keylife=450s dpdaction=restart dpddelay=10 dpdtimeout=120 rekeyfuzz=50% rekeymargin=180s conn conn6 type=tunnel leftsubnet=192.168.202.102/24 rightsubnet=40.0.5.0/24 left=50.0.11.2 right=50.0.11.1 keyexchange=ikev2 reauth=no ike=aes128-sha1-modp1024,3des-sha1-modp1024! ikelifetime=83668s esp=aes128-sha1,3des-sha1! authby=pubkey rightid=%any leftid="192.168.255.129" keylife=450s dpdaction=restart dpddelay=10 dpdtimeout=120 rekeyfuzz=50% rekeymargin=180s conn conn7 type=tunnel leftsubnet=192.168.202.102/24 rightsubnet=40.0.6.0/24 left=50.0.11.2 right=50.0.11.1 keyexchange=ikev2 reauth=no ike=aes128-sha1-modp1024,3des-sha1-modp1024! ikelifetime=83668s esp=aes128-sha1,3des-sha1! authby=pubkey rightid=%any leftid="192.168.255.129" keylife=450s dpdaction=restart dpddelay=10 dpdtimeout=120 rekeyfuzz=50% rekeymargin=180s conn conn8 type=tunnel leftsubnet=192.168.202.102/24 rightsubnet=40.0.7.0/24 left=50.0.13.2 right=50.0.13.1 keyexchange=ikev2 reauth=no ike=aes128-sha1-modp1024,3des-sha1-modp1024! ikelifetime=83668s esp=aes128-sha1,3des-sha1! authby=pubkey rightid=%any leftid="192.168.255.129" keylife=450s dpdaction=restart dpddelay=10 dpdtimeout=120 rekeyfuzz=50% rekeymargin=180s conn conn9 type=tunnel leftsubnet=192.168.202.102/24 rightsubnet=40.0.8.0/24 left=50.0.13.2 right=50.0.13.1 keyexchange=ikev2 reauth=no ike=aes128-sha1-modp1024,3des-sha1-modp1024! ikelifetime=83668s esp=aes128-sha1,3des-sha1! authby=pubkey rightid=%any leftid="192.168.255.129" keylife=450s dpdaction=restart dpddelay=10 dpdtimeout=120 rekeyfuzz=50% rekeymargin=180s conn conn10 type=tunnel leftsubnet=192.168.202.102/24 rightsubnet=40.0.9.0/24 left=50.0.13.2 right=50.0.13.1 keyexchange=ikev2 reauth=no ike=aes128-sha1-modp1024,3des-sha1-modp1024! ikelifetime=83668s esp=aes128-sha1,3des-sha1! authby=pubkey rightid=%any leftid="192.168.255.129" keylife=450s dpdaction=restart dpddelay=10 dpdtimeout=120 rekeyfuzz=50% rekeymargin=180s conn conn11 type=tunnel leftsubnet=14.1.2.0/24 rightsubnet=40.0.10.0/24 left=50.0.13.2 right=50.0.13.1 keyexchange=ikev2 reauth=no ike=aes128-sha1-modp1024,3des-sha1-modp1024! ikelifetime=83668s esp=aes128-sha1,3des-sha1! authby=pubkey rightid=%any leftid="192.168.255.129" keylife=450s dpdaction=restart dpddelay=10 dpdtimeout=120 rekeyfuzz=50% rekeymargin=180s conn conn12 type=tunnel leftsubnet=172.1.17.131/24 rightsubnet=172.1.17.171/24 left=192.168.202.102 right=50.0.1.1 keyexchange=ikev2 reauth=no ike=aes128-sha1-modp1024,3des-sha1-modp1024! ikelifetime=83668s esp=aes128-sha1,3des-sha1! authby=pubkey rightid=%any leftid="192.168.255.129" keylife=450s dpdaction=restart dpddelay=10 dpdtimeout=120 rekeyfuzz=50% rekeymargin=180s