<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);">
Hi Noel,<br>
<br>
Thank you for the update. Please see below output. Yes, I understand the DH group is better to be 5, thanks for the reminder.
<br>
<br>
<div>iptables-save -c</div>
<div># Generated by iptables-save v1.6.2 on Wed Mar 14 07:34:57 2018</div>
<div>*raw</div>
<div>:PREROUTING ACCEPT [1610:117869]</div>
<div>:OUTPUT ACCEPT [2109:892186]</div>
<div>COMMIT</div>
<div># Completed on Wed Mar 14 07:34:57 2018</div>
<div># Generated by iptables-save v1.6.2 on Wed Mar 14 07:34:57 2018</div>
<div>*nat</div>
<div>:PREROUTING ACCEPT [32:14382]</div>
<div>:INPUT ACCEPT [32:14382]</div>
<div>:OUTPUT ACCEPT [31:2493]</div>
<div>:POSTROUTING ACCEPT [5:208]</div>
<div>[26:2285] -A POSTROUTING -o usb0 -j MASQUERADE</div>
<div>COMMIT</div>
<div># Completed on Wed Mar 14 07:34:57 2018</div>
<div># Generated by iptables-save v1.6.2 on Wed Mar 14 07:34:57 2018</div>
<div>*mangle</div>
<div>:PREROUTING ACCEPT [1611:117909]</div>
<div>:INPUT ACCEPT [1611:117909]</div>
<div>:FORWARD ACCEPT [0:0]</div>
<div>:OUTPUT ACCEPT [2117:893322]</div>
<div>:POSTROUTING ACCEPT [2121:893390]</div>
<div>COMMIT</div>
<div># Completed on Wed Mar 14 07:34:57 2018</div>
<div># Generated by iptables-save v1.6.2 on Wed Mar 14 07:34:57 2018</div>
<div>*filter</div>
<div>:INPUT ACCEPT [1612:117949]</div>
<div>:FORWARD ACCEPT [0:0]</div>
<div>:OUTPUT ACCEPT [2120:893774]</div>
<div>[0:0] -A FORWARD -i eth0 -j ACCEPT</div>
<div>[0:0] -A FORWARD -i wlan0 -j ACCEPT</div>
<div>COMMIT</div>
<div># Completed on Wed Mar 14 07:34:57 2018</div>
<div></div>
<div># ip a</div>
<div>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN</div>
<div> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00</div>
<div> inet 127.0.0.1/8 scope host lo</div>
<div> inet6 ::1/128 scope host</div>
<div> valid_lft forever preferred_lft forever</div>
<div>2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000</div>
<div> link/ether 50:ff:99:30:13:10 brd ff:ff:ff:ff:ff:ff</div>
<div> inet 192.168.199.100/24 brd 192.168.199.255 scope global eth0</div>
<div> inet 192.168.199.254/24 brd 192.168.199.254 scope global secondary eth0</div>
<div> inet6 fe80::52ff:99ff:fe30:1310/64 scope link</div>
<div> valid_lft forever preferred_lft forever</div>
<div>3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000</div>
<div> link/ether 50:ff:99:30:13:11 brd ff:ff:ff:ff:ff:ff</div>
<div>4: tunl0: <NOARP> mtu 1480 qdisc noop state DOWN</div>
<div> link/ipip 0.0.0.0 brd 0.0.0.0</div>
<div>5: sit0: <NOARP> mtu 1480 qdisc noop state DOWN</div>
<div> link/sit 0.0.0.0 brd 0.0.0.0</div>
<div>6: ip6tnl0: <NOARP> mtu 1452 qdisc noop state DOWN</div>
<div> link/tunnel6 :: brd ::</div>
<div>7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000</div>
<div> link/ether 08:ea:40:72:28:b7 brd ff:ff:ff:ff:ff:ff</div>
<div> inet 192.168.126.1/24 brd 192.168.126.255 scope global wlan0</div>
<div> inet6 fe80::aea:40ff:fe72:28b7/64 scope link</div>
<div> valid_lft forever preferred_lft forever</div>
<div>8: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000</div>
<div> link/ether 02:1e:10:1f:00:00 brd ff:ff:ff:ff:ff:ff</div>
<div> inet 10.168.60.225/30 brd 10.168.60.227 scope global usb0</div>
<div> inet 10.2.1.213/32 scope global usb0</div>
<div> inet6 fe80::1e:10ff:fe1f:0/64 scope link</div>
<div> valid_lft forever preferred_lft forever</div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div># ip r show table all</div>
<div>10.2.1.0/24 via 10.168.60.226 dev usb0 table 220 proto static src 192.168.199.100
</div>
<div>default via 10.168.60.226 dev usb0</div>
<div>10.168.60.224/30 dev usb0 proto kernel scope link src 10.168.60.225</div>
<div>192.168.126.0/24 dev wlan0 proto kernel scope link src 192.168.126.1</div>
<div>192.168.199.0/24 dev eth0 proto kernel scope link src 192.168.199.100</div>
<div>local 10.2.1.213 dev usb0 table local proto kernel scope host src 10.2.1.213</div>
<div>broadcast 10.168.60.224 dev usb0 table local proto kernel scope link src 10.168.60.225</div>
<div>local 10.168.60.225 dev usb0 table local proto kernel scope host src 10.168.60.225</div>
<div>broadcast 10.168.60.227 dev usb0 table local proto kernel scope link src 10.168.60.225</div>
<div>broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1</div>
<div>local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1</div>
<div>local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1</div>
<div>broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1</div>
<div>broadcast 192.168.126.0 dev wlan0 table local proto kernel scope link src 192.168.126.1</div>
<div>local 192.168.126.1 dev wlan0 table local proto kernel scope host src 192.168.126.1</div>
<div>broadcast 192.168.126.255 dev wlan0 table local proto kernel scope link src 192.168.126.1</div>
<div>broadcast 192.168.199.0 dev eth0 table local proto kernel scope link src 192.168.199.100</div>
<div>local 192.168.199.100 dev eth0 table local proto kernel scope host src 192.168.199.100</div>
<div>local 192.168.199.254 dev eth0 table local proto kernel scope host src 192.168.199.100</div>
<div>broadcast 192.168.199.254 dev eth0 table local proto kernel scope link src 192.168.199.100</div>
<div>broadcast 192.168.199.255 dev eth0 table local proto kernel scope link src 192.168.199.100</div>
<div>unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 hoplimit 255</div>
<div>fe80::/64 dev wlan0 proto kernel metric 256</div>
<div>fe80::/64 dev eth0 proto kernel metric 256</div>
<div>fe80::/64 dev usb0 proto kernel metric 256</div>
<div>unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 hoplimit 255</div>
<div>local ::1 via :: dev lo table local proto none metric 0</div>
<div>local fe80:: via :: dev lo table local proto none metric 0</div>
<div>local fe80:: via :: dev lo table local proto none metric 0</div>
<div>local fe80:: via :: dev lo table local proto none metric 0</div>
<div>local fe80::1e:10ff:fe1f:0 via :: dev lo table local proto none metric 0</div>
<div>local fe80::aea:40ff:fe72:28b7 via :: dev lo table local proto none metric 0</div>
<div>local fe80::52ff:99ff:fe30:1310 via :: dev lo table local proto none metric 0</div>
<div>ff00::/8 dev wlan0 table local metric 256</div>
<div>ff00::/8 dev eth0 table local metric 256</div>
<div>ff00::/8 dev usb0 table local metric 256</div>
<div>unreachable default dev lo table unspec proto kernel metric 429</div>
<div>4967295 error -101 hoplimit 255</div>
<div></div>
<div></div>
<div></div>
<div># ip ru</div>
<div>0: from all lookup local</div>
<div>220: from all lookup 220</div>
<div>32766: from all lookup main</div>
<div>32767: from all lookup default</div>
<div></div>
<div></div>
<div># ip route list table 220</div>
<div>10.2.1.0/24 via 10.168.60.226 dev usb0 proto static src 192.168.199.100<br>
</div>
<br>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting><br>
<b>Sent:</b> Wednesday, 14 March 2018 12:24 AM<br>
<b>To:</b> Shuchen He; users@lists.strongswan.org<br>
<b>Subject:</b> Re: [strongSwan] Strongswan IPSec VPN is up but does not pass traffic</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">Hi,<br>
<br>
Please provide the outputs of `iptables-save -c`, `ip a`, `ip r show table all` and `ip ru`.<br>
Btw, modp768 is considered broken, same for 1024.<br>
<br>
Kind regards<br>
<br>
Noel<br>
<br>
On 12.03.2018 11:45, Shuchen He wrote:<br>
> Hi,<br>
><br>
> I have setup a VPN between ASA and strongswan using IKE1. The strongswan work as remote VPN using PSK XAuth.<br>
><br>
> The VPN tunnel is up but I can not ping the remote site. Below is the configuration and some output.<br>
><br>
> My observation at the moment is that the Linux kernel has setup everything but the TS traffic just does not leave the Linux box. When I ping remote site, I can see "ip xfrm state" actually shows a flow for my traffic... but the flow is somehow dropped by
either the kernel or strongswan.<br>
><br>
> Can you please let me know what else I should do to further troubleshoot the issue?<br>
><br>
> *Configuration<br>
> *<br>
> connections {<br>
> home {<br>
> aggressive = yes<br>
> dpd_delay = 30<br>
> dpd_timeout = 90<br>
> version = 1<br>
> remote_addrs = 126.2.1.4<br>
> # uncomment if the responder only supports crappy crypto. But seriously,<br>
> # every single one of those algorithms is broken. Better spend some $$$<br>
> # on a better solution.<br>
> proposals = aes256-sha1-modp1024<br>
> vips = 0.0.0.0,::<br>
> local-1 {<br>
> auth = psk<br>
> id = acompanyTest<br>
> }<br>
> local-2 {<br>
> auth = xauth-generic<br>
> xauth_id = acompanyTest<br>
> }<br>
> remote-1 {<br>
> auth = psk<br>
> # You might have to set this to the correct value, if the responder isn't configure correctly.<br>
> #id = 126.2.1.4<br>
> }<br>
> children {<br>
> home {<br>
> remote_ts = 10.2.1.0/24<br>
> #local_ts=192.168.199.0/24,0.0.0.0<br>
> # uncomment if the responder only supports crappy crypto. But seriously,<br>
> # every single one of those algorithms is broken. Better spend some $$$<br>
> # on a better solution.<br>
> # esp_proposals = 3des-md5!<br>
> # Use this, if you want PFS with DH group 2.<br>
> # esp_proposals = 3des-md5-modp1024!<br>
> esp_proposals = aes128-sha1-modp768<br>
> }<br>
> }<br>
> }<br>
> }<br>
> secrets {<br>
> ike-home {<br>
> id = 126.2.1.4<br>
> secret = "acompany123"<br>
> }<br>
> eap-home {<br>
> id = acompanyTest<br>
> secret = "acompany123"<br>
> }<br>
> }<br>
><br>
> # ipsec statusall<br>
> Status of IKE charon daemon (strongSwan 5.6.2, Linux 3.0.35-2666-gbdde708-g889281e-dirty, armv7l):<br>
> uptime: 18 minutes, since Mar 12 18:15:45 2018<br>
> malloc: sbrk 253952, mmap 0, used 158560, free 95392<br>
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6<br>
> loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
counters<br>
> Listening IP addresses:<br>
> 192.168.199.100<br>
> 192.168.199.254<br>
> 192.168.199.141<br>
> 192.168.126.1<br>
> 10.39.63.211<br>
> Connections:<br>
> site: %any...126.2.1.4 IKEv1<br>
> site: local: [mylocalsite] uses pre-shared key authentication<br>
> site: remote: uses pre-shared key authentication<br>
> site: child: 192.168.199.0/24 === 10.2.1.0/24 TUNNEL<br>
> home: %any...126.2.1.4 IKEv1 Aggressive, dpddelay=30s<br>
> home: local: [acompanyTest] uses pre-shared key authentication<br>
> home: local: uses XAuth authentication: generic with XAuth identity 'acompanyTest'<br>
> home: remote: uses pre-shared key authentication<br>
> home: child: dynamic === 10.2.1.0/24 TUNNEL, dpdaction=clear<br>
> Routed Connections:<br>
> site{1}: ROUTED, TUNNEL, reqid 1<br>
> site{1}: 192.168.199.0/24 === 10.2.1.0/24<br>
> Security Associations (1 up, 0 connecting):<br>
> home[1]: ESTABLISHED 17 minutes ago, 10.39.63.211[acompanyTest]...126.2.1.4[126.2.1.4]<br>
> home[1]: IKEv1 SPIs: 504550d01ee905e2_i* 2311e0ae0c6c454f_r, rekeying in 3 hours<br>
> home[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>
> home{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cc621d5e_i 3545bd6a_o<br>
> home{2}: AES_CBC_128/HMAC_SHA1_96/MODP_768, 0 bytes_i, 0 bytes_o, rekeying in 40 minutes<br>
> home{2}: 10.2.1.211/32 === 10.2.1.0/24<br>
> root@wheezy-armel:~ 18:33:49<br>
> # ifconfig<br>
> eth0 Link encap:Ethernet HWaddr 50:ff:99:30:13:10 <br>
> inet addr:192.168.199.100 Bcast:192.168.199.255 Mask:255.255.255.0<br>
> inet6 addr: fe80::52ff:99ff:fe30:1310/64 Scope:Link<br>
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1<br>
> RX packets:3585 errors:0 dropped:0 overruns:0 frame:0<br>
> TX packets:1318 errors:0 dropped:0 overruns:0 carrier:0<br>
> collisions:0 txqueuelen:1000<br>
> RX bytes:422967 (413.0 KiB) TX bytes:177070 (172.9 KiB)<br>
> eth1 Link encap:Ethernet HWaddr 50:ff:99:30:13:11 <br>
> inet addr:192.168.199.141 Bcast:192.168.199.255 Mask:255.255.255.0<br>
> inet6 addr: fe80::52ff:99ff:fe30:1311/64 Scope:Link<br>
> UP BROADCAST MULTICAST MTU:1500 Metric:1<br>
> RX packets:11288 errors:0 dropped:0 overruns:0 frame:0<br>
> TX packets:25 errors:0 dropped:0 overruns:0 carrier:0<br>
> collisions:0 txqueuelen:1000<br>
> RX bytes:2799722 (2.6 MiB) TX bytes:3078 (3.0 KiB)<br>
> Interrupt:155 Base address:0x8000<br>
> lo Link encap:Local Loopback <br>
> inet addr:127.0.0.1 Mask:255.0.0.0<br>
> inet6 addr: ::1/128 Scope:Host<br>
> UP LOOPBACK RUNNING MTU:16436 Metric:1<br>
> RX packets:1334 errors:0 dropped:0 overruns:0 frame:0<br>
> TX packets:1334 errors:0 dropped:0 overruns:0 carrier:0<br>
> collisions:0 txqueuelen:0<br>
> RX bytes:465386 (454.4 KiB) TX bytes:465386 (454.4 KiB)<br>
> usb0 Link encap:Ethernet HWaddr 02:1e:10:1f:00:00 <br>
> inet addr:10.39.63.211 Bcast:10.39.63.215 Mask:255.255.255.248<br>
> inet6 addr: fe80::1e:10ff:fe1f:0/64 Scope:Link<br>
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
> RX packets:1049 errors:0 dropped:0 overruns:0 frame:0<br>
> TX packets:973 errors:0 dropped:0 overruns:0 carrier:0<br>
> collisions:0 txqueuelen:1000<br>
> RX bytes:67244 (65.6 KiB) TX bytes:153707 (150.1 KiB)<br>
> wlan0 Link encap:Ethernet HWaddr 08:ea:40:72:28:b7 <br>
> inet addr:192.168.126.1 Bcast:192.168.126.255 Mask:255.255.255.0<br>
> inet6 addr: fe80::aea:40ff:fe72:28b7/64 Scope:Link<br>
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
> RX packets:3229 errors:0 dropped:0 overruns:0 frame:0<br>
> TX packets:1 errors:0 dropped:0 overruns:0 carrier:0<br>
> collisions:0 txqueuelen:1000<br>
> RX bytes:0 (0.0 B) TX bytes:112 (112.0 B)<br>
><br>
> # route -n<br>
> Kernel IP routing table<br>
> Destination Gateway Genmask Flags Metric Ref Use Iface<br>
> 0.0.0.0 10.39.63.209 0.0.0.0 UG 0 0 0 usb0<br>
> 10.39.63.208 0.0.0.0 255.255.255.248 U 0 0 0 usb0<br>
> 192.168.126.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0<br>
> 192.168.199.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0<br>
> 192.168.199.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1<br>
><br>
> # ip route show table 220<br>
> 10.2.1.0/24 via 10.39.63.209 dev usb0 proto static src 192.168.199.100<br>
><br>
> # ip -s xfrm state<br>
> src 10.39.63.211 dst 126.2.1.4<br>
> proto esp spi 0x3545bd6a(893762922) reqid 2(0x00000002) mode tunnel<br>
> replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)<br>
> auth-trunc hmac(sha1) 0xaeb85f4b30fec0ccc1240cf9f6204a74e1785df5 (160 bits) 96<br>
> enc cbc(aes) 0xa0711780a30caaad143960ede951ef46 (128 bits)<br>
> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<br>
> lifetime config:<br>
> limit: soft (INF)(bytes), hard (INF)(bytes)<br>
> limit: soft (INF)(packets), hard (INF)(packets)<br>
> expire add: soft 3501(sec), hard 3960(sec)<br>
> expire use: soft 0(sec), hard 0(sec)<br>
> lifetime current:<br>
> 0(bytes), 0(packets)<br>
> add 2018-03-12 18:15:52 use -<br>
> stats:<br>
> replay-window 0 replay 0 failed 0<br>
> src 126.2.1.4 dst 10.39.63.211<br>
> proto esp spi 0xcc621d5e(3428982110) reqid 2(0x00000002) mode tunnel<br>
> replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)<br>
> auth-trunc hmac(sha1) 0xbe6d3dc8b3c032f0059ece1a0234cbd87858d25e (160 bits) 96<br>
> enc cbc(aes) 0x7d99b233194ab31328cec11ea2ce7aa1 (128 bits)<br>
> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<br>
> lifetime config:<br>
> limit: soft (INF)(bytes), hard (INF)(bytes)<br>
> limit: soft (INF)(packets), hard (INF)(packets)<br>
> expire add: soft 3596(sec), hard 3960(sec)<br>
> expire use: soft 0(sec), hard 0(sec)<br>
> lifetime current:<br>
> 0(bytes), 0(packets)<br>
> add 2018-03-12 18:15:52 use -<br>
> stats:<br>
> replay-window 0 replay 0 failed 0<br>
> root@wheezy-armel:~ 18:34:25<br>
> # ping -i 192.168.199.100 10.2.1.60<br>
> PING 10.2.1.60 (10.2.1.60) 56(84) bytes of data.<br>
> ^C<br>
> --- 10.2.1.60 ping statistics ---<br>
> 1 packets transmitted, 0 received, 100% packet loss, time 0ms<br>
><br>
> # ip -s xfrm state<br>
> src 10.39.63.211 dst 126.2.1.4<br>
> proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel<br>
> replay-window 0 seq 0x00000003 flag (0x00000000)<br>
> sel src 192.168.199.100/32 dst 10.2.1.60/32 proto udp sport 48645 dport 1025 uid 0<br>
> lifetime config:<br>
> limit: soft (INF)(bytes), hard (INF)(bytes)<br>
> limit: soft (INF)(packets), hard (INF)(packets)<br>
> expire add: soft 0(sec), hard 165(sec)<br>
> expire use: soft 0(sec), hard 0(sec)<br>
> lifetime current:<br>
> 0(bytes), 0(packets)<br>
> add 2018-03-12 18:34:35 use -<br>
> stats:<br>
> replay-window 0 replay 0 failed 0<br>
> src 10.39.63.211 dst 126.2.1.4<br>
> proto esp spi 0x3545bd6a(893762922) reqid 2(0x00000002) mode tunnel<br>
> replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)<br>
> auth-trunc hmac(sha1) 0xaeb85f4b30fec0ccc1240cf9f6204a74e1785df5 (160 bits) 96<br>
> enc cbc(aes) 0xa0711780a30caaad143960ede951ef46 (128 bits)<br>
> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<br>
> lifetime config:<br>
> limit: soft (INF)(bytes), hard (INF)(bytes)<br>
> limit: soft (INF)(packets), hard (INF)(packets)<br>
> expire add: soft 3501(sec), hard 3960(sec)<br>
> expire use: soft 0(sec), hard 0(sec)<br>
> lifetime current:<br>
> 0(bytes), 0(packets)<br>
> add 2018-03-12 18:15:52 use -<br>
> stats:<br>
> replay-window 0 replay 0 failed 0<br>
> src 126.2.1.4 dst 10.39.63.211<br>
> proto esp spi 0xcc621d5e(3428982110) reqid 2(0x00000002) mode tunnel<br>
> replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)<br>
> auth-trunc hmac(sha1) 0xbe6d3dc8b3c032f0059ece1a0234cbd87858d25e (160 bits) 96<br>
> enc cbc(aes) 0x7d99b233194ab31328cec11ea2ce7aa1 (128 bits)<br>
> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<br>
> lifetime config:<br>
> limit: soft (INF)(bytes), hard (INF)(bytes)<br>
> limit: soft (INF)(packets), hard (INF)(packets)<br>
> expire add: soft 3596(sec), hard 3960(sec)<br>
> expire use: soft 0(sec), hard 0(sec)<br>
> lifetime current:<br>
> 0(bytes), 0(packets)<br>
> add 2018-03-12 18:15:52 use -<br>
> stats:<br>
> replay-window 0 replay 0 failed 0<br>
> root@wheezy-armel:~ 18:34:37<br>
> # ip -s xfrm policy<br>
> src 10.2.1.211/32 dst 10.2.1.0/24 uid 0<br>
> dir out action allow index 105 priority 371327 share any flag (0x00000000)<br>
> lifetime config:<br>
> limit: soft (INF)(bytes), hard (INF)(bytes)<br>
> limit: soft (INF)(packets), hard (INF)(packets)<br>
> expire add: soft 0(sec), hard 0(sec)<br>
> expire use: soft 0(sec), hard 0(sec)<br>
> lifetime current:<br>
> 0(bytes), 0(packets)<br>
> add 2018-03-12 18:15:52 use -<br>
> tmpl src 10.39.63.211 dst 126.2.1.4<br>
> proto esp spi 0x3545bd6a(893762922) reqid 2(0x00000002) mode tunnel<br>
> level required share any<br>
> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<br>
> src 10.2.1.0/24 dst 10.2.1.211/32 uid 0<br>
> dir fwd action allow index 98 priority 371327 share any flag (0x00000000)<br>
> lifetime config:<br>
> limit: soft (INF)(bytes), hard (INF)(bytes)<br>
> limit: soft (INF)(packets), hard (INF)(packets)<br>
> expire add: soft 0(sec), hard 0(sec)<br>
> expire use: soft 0(sec), hard 0(sec)<br>
> lifetime current:<br>
> 0(bytes), 0(packets)<br>
> add 2018-03-12 18:15:52 use -<br>
> tmpl src 126.2.1.4 dst 10.39.63.211<br>
> proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel<br>
> level required share any<br>
> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<br>
> src 10.2.1.0/24 dst 10.2.1.211/32 uid 0<br>
> dir in action allow index 88 priority 371327 share any flag (0x00000000)<br>
> lifetime config:<br>
> limit: soft (INF)(bytes), hard (INF)(bytes)<br>
> limit: soft (INF)(packets), hard (INF)(packets)<br>
> expire add: soft 0(sec), hard 0(sec)<br>
> expire use: soft 0(sec), hard 0(sec)<br>
> lifetime current:<br>
> 0(bytes), 0(packets)<br>
> add 2018-03-12 18:15:52 use -<br>
> tmpl src 126.2.1.4 dst 10.39.63.211<br>
> proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel<br>
> level required share any<br>
> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<br>
> src 192.168.199.0/24 dst 10.2.1.0/24 uid 0<br>
> dir out action allow index 81 priority 375424 share any flag (0x00000000)<br>
> lifetime config:<br>
> limit: soft (INF)(bytes), hard (INF)(bytes)<br>
> limit: soft (INF)(packets), hard (INF)(packets)<br>
> expire add: soft 0(sec), hard 0(sec)<br>
> expire use: soft 0(sec), hard 0(sec)<br>
> lifetime current:<br>
> 0(bytes), 0(packets)<br>
> add 2018-03-12 18:15:48 use -<br>
> tmpl src 10.39.63.211 dst 126.2.1.4<br>
> proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel<br>
> level required share any<br>
> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<br>
> src 10.2.1.0/24 dst 192.168.199.0/24 uid 0<br>
> dir fwd action allow index 74 priority 375424 share any flag (0x00000000)<br>
> lifetime config:<br>
> limit: soft (INF)(bytes), hard (INF)(bytes)<br>
> limit: soft (INF)(packets), hard (INF)(packets)<br>
> expire add: soft 0(sec), hard 0(sec)<br>
> expire use: soft 0(sec), hard 0(sec)<br>
> lifetime current:<br>
> 0(bytes), 0(packets)<br>
> add 2018-03-12 18:15:48 use -<br>
> tmpl src 126.2.1.4 dst 10.39.63.211<br>
> proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel<br>
> level required share any<br>
> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<br>
> src 10.2.1.0/24 dst 192.168.199.0/24 uid 0<br>
> dir in action allow index 64 priority 375424 share any flag (0x00000000)<br>
> lifetime config:<br>
> limit: soft (INF)(bytes), hard (INF)(bytes)<br>
> limit: soft (INF)(packets), hard (INF)(packets)<br>
> expire add: soft 0(sec), hard 0(sec)<br>
> expire use: soft 0(sec), hard 0(sec)<br>
> lifetime current:<br>
> 0(bytes), 0(packets)<br>
> add 2018-03-12 18:15:48 use -<br>
> tmpl src 126.2.1.4 dst 10.39.63.211<br>
> proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel<br>
> level required share any<br>
> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<br>
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0<br>
> socket in action allow index 59 priority 0 share any flag (0x00000000)<br>
> lifetime config:<br>
> limit: soft 0(bytes), hard 0(bytes)<br>
> limit: soft 0(packets), hard 0(packets)<br>
> expire add: soft 0(sec), hard 0(sec)<br>
> expire use: soft 0(sec), hard 0(sec)<br>
> lifetime current:<br>
> 0(bytes), 0(packets)<br>
> add 2018-03-12 18:15:44 use 2018-03-12 18:34:33<br>
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0<br>
> socket out action allow index 52 priority 0 share any flag (0x00000000)<br>
> lifetime config:<br>
> limit: soft 0(bytes), hard 0(bytes)<br>
> limit: soft 0(packets), hard 0(packets)<br>
> expire add: soft 0(sec), hard 0(sec)<br>
> expire use: soft 0(sec), hard 0(sec)<br>
> lifetime current:<br>
> 0(bytes), 0(packets)<br>
> add 2018-03-12 18:15:44 use 2018-03-12 18:34:28<br>
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0<br>
> socket in action allow index 43 priority 0 share any flag (0x00000000)<br>
> lifetime config:<br>
> limit: soft 0(bytes), hard 0(bytes)<br>
> limit: soft 0(packets), hard 0(packets)<br>
> expire add: soft 0(sec), hard 0(sec)<br>
> expire use: soft 0(sec), hard 0(sec)<br>
> lifetime current:<br>
> 0(bytes), 0(packets)<br>
> add 2018-03-12 18:15:44 use 2018-03-12 18:34:39<br>
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0<br>
> socket out action allow index 36 priority 0 share any flag (0x00000000)<br>
> lifetime config:<br>
> limit: soft 0(bytes), hard 0(bytes)<br>
> limit: soft 0(packets), hard 0(packets)<br>
> expire add: soft 0(sec), hard 0(sec)<br>
> expire use: soft 0(sec), hard 0(sec)<br>
> lifetime current:<br>
> 0(bytes), 0(packets)<br>
> add 2018-03-12 18:15:44 use 2018-03-12 18:34:39<br>
> src ::/0 dst ::/0 uid 0<br>
> socket in action allow index 27 priority 0 share any flag (0x00000000)<br>
> lifetime config:<br>
> limit: soft 0(bytes), hard 0(bytes)<br>
> limit: soft 0(packets), hard 0(packets)<br>
> expire add: soft 0(sec), hard 0(sec)<br>
> expire use: soft 0(sec), hard 0(sec)<br>
> lifetime current:<br>
> 0(bytes), 0(packets)<br>
> add 2018-03-12 18:15:44 use -<br>
> src ::/0 dst ::/0 uid 0<br>
> socket out action allow index 20 priority 0 share any flag (0x00000000)<br>
> lifetime config:<br>
> limit: soft 0(bytes), hard 0(bytes)<br>
> limit: soft 0(packets), hard 0(packets)<br>
> expire add: soft 0(sec), hard 0(sec)<br>
> expire use: soft 0(sec), hard 0(sec)<br>
> lifetime current:<br>
> 0(bytes), 0(packets)<br>
> add 2018-03-12 18:15:44 use -<br>
> src ::/0 dst ::/0 uid 0<br>
> socket in action allow index 11 priority 0 share any flag (0x00000000)<br>
> lifetime config:<br>
> limit: soft 0(bytes), hard 0(bytes)<br>
> limit: soft 0(packets), hard 0(packets)<br>
> expire add: soft 0(sec), hard 0(sec)<br>
> expire use: soft 0(sec), hard 0(sec)<br>
> lifetime current:<br>
> 0(bytes), 0(packets)<br>
> add 2018-03-12 18:15:44 use -<br>
> src ::/0 dst ::/0 uid 0<br>
> socket out action allow index 4 priority 0 share any flag (0x00000000)<br>
> lifetime config:<br>
> limit: soft 0(bytes), hard 0(bytes)<br>
> limit: soft 0(packets), hard 0(packets)<br>
> expire add: soft 0(sec), hard 0(sec)<br>
> expire use: soft 0(sec), hard 0(sec)<br>
> lifetime current:<br>
> 0(bytes), 0(packets)<br>
> add 2018-03-12 18:15:44 use -<br>
><br>
><br>
> Thanks<br>
><br>
> George<br>
</div>
</span></font></div>
</body>
</html>