<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Verdana",sans-serif;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Tahoma",sans-serif;
color:windowtext;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Verdana",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoPlainText"><span style="font-family:"Courier New"">Below is a network diagram of StrongSwan box configured in Amazon Web Services with tunnel to a Cisco ASA.
<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">The tunnel between the StrongSwan box and the Cisco device are working properly, phase 1 and phase 2 have completed.<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">The issue is that the traffic destined to the StrongSwan box should then be passed to the 'Test Server' box (172.31.12.176)
<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">I am able to see the ICMP packets sent from the 192.168.20.0/24 network hit the StrongSwan box, but this traffic is not passed along to the Test Server.
<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">I have enabled forward client traffic and included forward rules for traffic sourced from the 192.168.20.0/24 subnet to be forwarded to 172.31.12.176.<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">Does someone have any insight into what I may have configured incorrectly?<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">|TEST SERVER (172.31.12.176)| ========== Eth1 172.31.12.187 -- |STRONGSWAN SERVER| -- Eth0 172.31.10.126 (EIP x.x.x.209) ========== Outside Interface x.x.x.143 -- |CISCO ASA| -- 192.168.20.0/24
Subnet to other hots<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">StrongSwan Server has two Interfaces: Eth0 and Eth1.<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> Eth0 has an EIP associated to it (x.x.x.209)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> Eth1 has an IP of 172.31.12.187 that I believe should pass traffic to the Test Server<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">Test Server has an IP address of 172.31.12.176<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">Cisco ASA has an outside interface of x.x.x.143 and communicates to the subnet 192.168.20.0/24.<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<div style="mso-element:para-border-div;border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in">
<p class="MsoPlainText" style="border:none;padding:0in"><span style="font-family:"Courier New"">CONFIGS & OUTPUT IP/ROUTE DETAILS<o:p></o:p></span></p>
</div>
<p class="MsoPlainText"><span style="font-family:"Courier New""># ipsec.conf - strongSwan IPsec configuration file<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""># basic configuration<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">config setup<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> # strictcrlpolicy=yes<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> # uniqueids = no<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> charondebug="ike 2, knl 2, cfg 2, dmn 2, esp 2, net 2, chd 2"<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">conn RedSkyPIX-CHI<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> type = tunnel<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> authby = psk<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> auto = start<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> keyexchange = ikev1<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> ike = aes128-sha1-modp1024<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> esp = aes128-sha1<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> ikelifetime = 28800s<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> keylife = 3600s<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> aggressive = no<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> left = 172.31.10.126<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> leftsubnet = 172.31.12.0/24<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> leftid = x.x.x.209<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> leftfirewall = yes<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> right = x.x.x.143<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> rightsubnet= 192.168.20.0/24<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> rightid = x.x.x.143<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> rightfirewall = yes<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""># The following are enabled<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">sysctl net.ipv4.ip_forward=1<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">sysctl net.ipv6.conf.all.forwarding=1<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""># ip route show<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">172.31.12.0/24 dev eth1 proto kernel scope link src 172.31.12.187<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">172.31.10.0/24 dev eth0 proto kernel scope link src 172.31.10.126<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">169.254.0.0/16 dev eth0 scope link metric 1002<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">169.254.0.0/16 dev eth1 scope link metric 1003<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">default via 172.31.10.1 dev eth0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""># ip -s xfrm state<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">src 172.31.10.126 dst x.x.x.143<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> proto esp spi 0xae1ca856(2921113686) reqid 1(0x00000001) mode tunnel<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> replay-window 32 seq 0x00000000 flag 20 (0x00100000)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> auth hmac(sha1) 0x6008d28b0f40c2eb8fa884730aa41fa9da85dcac (160 bits)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> enc cbc(aes) 0xdcfd69f529f3529a026aa2ddefce61bc (128 bits)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime config:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft (INF)(bytes), hard (INF)(bytes)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft (INF)(packets), hard (INF)(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire add: soft 3055(sec), hard 3600(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime current:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 0(bytes), 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> add 2018-01-04 14:22:14 use -<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> stats:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> replay-window 0 replay 0 failed 0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">src x.x.x.143 dst 172.31.10.126<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> proto esp spi 0xc3a540f4(3282387188) reqid 1(0x00000001) mode tunnel<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> replay-window 32 seq 0x00000000 flag 20 (0x00100000)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> auth hmac(sha1) 0x840c9d785e7bb09cd5b868ff13295f558191b3e5 (160 bits)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> enc cbc(aes) 0xade0f2bfc266c8fcce9267f2270fcfe1 (128 bits)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime config:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft (INF)(bytes), hard (INF)(bytes)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft (INF)(packets), hard (INF)(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire add: soft 2940(sec), hard 3600(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime current:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 2160(bytes), 36(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> add 2018-01-04 14:22:14 use 2018-01-04 14:22:19<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> stats:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> replay-window 0 replay 0 failed 0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""># ip -s xfrm state<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">src 172.31.10.126 dst x.x.x.143<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> proto esp spi 0xae1ca856(2921113686) reqid 1(0x00000001) mode tunnel<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> replay-window 32 seq 0x00000000 flag 20 (0x00100000)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> auth hmac(sha1) 0x6008d28b0f40c2eb8fa884730aa41fa9da85dcac (160 bits)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> enc cbc(aes) 0xdcfd69f529f3529a026aa2ddefce61bc (128 bits)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime config:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft (INF)(bytes), hard (INF)(bytes)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft (INF)(packets), hard (INF)(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire add: soft 3055(sec), hard 3600(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime current:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 0(bytes), 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> add 2018-01-04 14:22:14 use -<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> stats:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> replay-window 0 replay 0 failed 0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">src x.x.x.143 dst 172.31.10.126<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> proto esp spi 0xc3a540f4(3282387188) reqid 1(0x00000001) mode tunnel<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> replay-window 32 seq 0x00000000 flag 20 (0x00100000)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> auth hmac(sha1) 0x840c9d785e7bb09cd5b868ff13295f558191b3e5 (160 bits)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> enc cbc(aes) 0xade0f2bfc266c8fcce9267f2270fcfe1 (128 bits)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime config:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft (INF)(bytes), hard (INF)(bytes)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft (INF)(packets), hard (INF)(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire add: soft 2940(sec), hard 3600(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime current:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 2520(bytes), 42(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> add 2018-01-04 14:22:14 use 2018-01-04 14:22:19<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> stats:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> replay-window 0 replay 0 failed 0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""># ip -s xfrm policy<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">src 192.168.20.0/24 dst 172.31.12.176/32 uid 0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> dir fwd action allow index 1986 priority 2851 ptype main share any flag (0x00000000)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime config:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft (INF)(bytes), hard (INF)(bytes)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft (INF)(packets), hard (INF)(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire add: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime current:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 0(bytes), 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> add 2018-01-04 14:22:14 use 2018-01-04 14:24:09<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> tmpl src x.x.x.143 dst 172.31.10.126<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> level required share any<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">src 192.168.20.0/24 dst 172.31.12.176/32 uid 0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> dir in action allow index 1976 priority 2851 ptype main share any flag (0x00000000)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime config:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft (INF)(bytes), hard (INF)(bytes)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft (INF)(packets), hard (INF)(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire add: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime current:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 0(bytes), 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> add 2018-01-04 14:22:14 use -<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> tmpl src x.x.x.143 dst 172.31.10.126<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> level required share any<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">src 172.31.12.176/32 dst 192.168.20.0/24 uid 0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> dir out action allow index 1969 priority 2851 ptype main share any flag (0x00000000)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime config:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft (INF)(bytes), hard (INF)(bytes)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft (INF)(packets), hard (INF)(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire add: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime current:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 0(bytes), 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> add 2018-01-04 14:22:14 use -<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> tmpl src 172.31.10.126 dst x.x.x.143<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> level required share any<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">src 0.0.0.0/0 dst 0.0.0.0/0 uid 0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> dir 3 action allow index 1963 priority 0 ptype main share any flag (0x00000000)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime config:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft 0(bytes), hard 0(bytes)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft 0(packets), hard 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire add: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime current:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 0(bytes), 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> add 2018-01-04 14:22:11 use 2018-01-04 14:24:09<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">src 0.0.0.0/0 dst 0.0.0.0/0 uid 0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> dir 4 action allow index 1956 priority 0 ptype main share any flag (0x00000000)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime config:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft 0(bytes), hard 0(bytes)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft 0(packets), hard 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire add: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime current:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 0(bytes), 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> add 2018-01-04 14:22:11 use 2018-01-04 14:23:58<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">src 0.0.0.0/0 dst 0.0.0.0/0 uid 0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> dir 3 action allow index 1947 priority 0 ptype main share any flag (0x00000000)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime config:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft 0(bytes), hard 0(bytes)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft 0(packets), hard 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire add: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime current:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 0(bytes), 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> add 2018-01-04 14:22:11 use 2018-01-04 14:22:14<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">src 0.0.0.0/0 dst 0.0.0.0/0 uid 0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> dir 4 action allow index 1940 priority 0 ptype main share any flag (0x00000000)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime config:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft 0(bytes), hard 0(bytes)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft 0(packets), hard 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire add: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime current:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 0(bytes), 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> add 2018-01-04 14:22:11 use 2018-01-04 14:22:14<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">src ::/0 dst ::/0 uid 0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> dir 3 action allow index 1931 priority 0 ptype main share any flag (0x00000000)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime config:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft 0(bytes), hard 0(bytes)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft 0(packets), hard 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire add: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime current:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 0(bytes), 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> add 2018-01-04 14:22:11 use -<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">src ::/0 dst ::/0 uid 0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> dir 4 action allow index 1924 priority 0 ptype main share any flag (0x00000000)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime config:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft 0(bytes), hard 0(bytes)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft 0(packets), hard 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire add: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime current:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 0(bytes), 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> add 2018-01-04 14:22:11 use -<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">src ::/0 dst ::/0 uid 0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> dir 3 action allow index 1915 priority 0 ptype main share any flag (0x00000000)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime config:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft 0(bytes), hard 0(bytes)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft 0(packets), hard 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire add: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime current:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 0(bytes), 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> add 2018-01-04 14:22:11 use -<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">src ::/0 dst ::/0 uid 0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> dir 4 action allow index 1908 priority 0 ptype main share any flag (0x00000000)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime config:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft 0(bytes), hard 0(bytes)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> limit: soft 0(packets), hard 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire add: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> expire use: soft 0(sec), hard 0(sec)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> lifetime current:<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 0(bytes), 0(packets)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> add 2018-01-04 14:22:11 use –<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""># iptables -L -n<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">Chain INPUT (policy ACCEPT)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">target prot opt source destination<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">ACCEPT all -- 0.0.0.0/0 0.0.0.0/0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:4500 dpt:4500<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">LOGDROP all -- 0.0.0.0/0 0.0.0.0/0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">LOGDROP all -- 0.0.0.0/0 0.0.0.0/0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">Chain FORWARD (policy ACCEPT)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">target prot opt source destination<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">ACCEPT all -- 192.168.20.0/24 172.31.12.176 policy match dir in pol ipsec reqid 1 proto 50<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">ACCEPT all -- 172.31.12.176 192.168.20.0/24 policy match dir out pol ipsec reqid 1 proto 50<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">LOGDROP all -- 0.0.0.0/0 0.0.0.0/0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">Chain OUTPUT (policy ACCEPT)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">target prot opt source destination<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:4500 dpt:4500<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">Chain LOGDROP (3 references)<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">target prot opt source destination<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New"">LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
</div>
</body>
</html>