<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000066" bgcolor="#FFFFFF">
This post is formatted as per <a moz-do-not-send="true"
href="https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests">here</a>.<br>
<br>
I'm using the bare minimum swanctl.conf and I've regenerated all my
keys and certs again. For the IPSec gateway, which is a virtual
machine in the LAN DNATted to by the LAN gateway, I've made its cert
with --san quantum-equities.com,cygnus.darkmatter.org, because the
LAN gateway is known outside as quantum-equities.com and the IPSec
gateway is known in the LAN as cygnus.darkmatter.org. My assumption
is it has to be resolvable in both worlds.<br>
<br>
I also tried to set --dn "C=US, O=Quantum,
CN=quantum-equities.com,cygnus.darkmatter.org" -- but strongswan pki
wasn't having it so I had to settle for just quantum-equities.com.<br>
<br>
For the phone's key and cert, when it is the initiator, I know of no
way it can prove it is mars.darkmatter.org, other than what the cert
says. It could be at any IP so I don't see how it can prove its
identity? The IPSec gateway resolves to quantum-equities.com so it
can prove its identity.<br>
<br>
Also I would like to set the phone and other remotes to 'initiate
only' but there doesn't seem to be a way in the Android app. And
for other remote machines there no longer seems to be that option.<br>
<br>
Log levels are as per instructions and charon.log is attached.<br>
<br>
strongswan.conf<br>
charon {<br>
load_modular = yes<br>
plugins {<br>
include strongswan.d/charon/*.conf<br>
}<br>
}<br>
<br>
include strongswan.d/*.conf<br>
<br>
<br>
swanctl.conf<br>
ikev2-pubkey {<br>
version = 2<br>
rekey_time = 0s<br>
local {<br>
cert = cygnus-Cert.pem<br>
id = cygnus.darkmatter.org<br>
}<br>
remote {<br>
# defaults are fine.<br>
}<br>
children {<br>
ikev2-pubkey {<br>
local_ts = 192.168.1.0/24<br>
mode = transport<br>
}<br>
}<br>
}<br>
<br>
<br>
charon.conf<br>
charon {<br>
<br>
# two defined file loggers<br>
filelog {<br>
/var/log/charon.log {<br>
time_format = %a, %Y-%m-%d %R<br>
ike_name = yes<br>
append = no<br>
default = 2<br>
flush_line = yes<br>
}<br>
stderr {<br>
mgr = 0<br>
net = 1<br>
enc = 1<br>
asn = 1<br>
job = 1<br>
knl = 1<br>
}<br>
}<br>
<br>
<br>
# swanctl -L<br>
# swanctl -l<br>
(no response, for some reason)<br>
<br>
# systemctl status strongswan-swanctl<br>
● strongswan-swanctl.service - strongSwan IPsec IKEv1/IKEv2 daemon
using swanctl<br>
Loaded: loaded
(/usr/lib/systemd/system/strongswan-swanctl.service; enabled; vendor
preset: disabled)<br>
Active: active (running) since Sun 2018-03-18 12:14:37 PDT; 3h
58min ago<br>
Process: 59439 ExecStartPost=/usr/sbin/swanctl --load-all
--noprompt (code=exited, status=0/SUCCESS)<br>
Main PID: 59419 (charon-systemd)<br>
Status: "charon-systemd running, strongSwan 5.5.3, Linux
4.13.0-1.el7.elrepo.x86_64, x86_64"<br>
CGroup: /system.slice/strongswan-swanctl.service<br>
└─59419 /usr/sbin/charon-systemd<br>
<br>
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]:
received packet: from 172.56.42.34[45687] to 192.168.1.16[500] (704
bytes)<br>
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: 10[NET]
received packet: from 172.56.42.34[45687] to 192.168.1.16[500] (704
bytes)<br>
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: parsed
IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]<br>
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: 10[ENC]
parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]<br>
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: 10[IKE]
no IKE config found for 192.168.1.16...172.56.42.34, sending
NO_PROPOSAL_CHOSEN<br>
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: 10[ENC]
generating IKE_SA_INIT response 0 [ N(NO_PROP) ]<br>
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: 10[NET]
sending packet: from 192.168.111.16[500] to 172.56.42.34[45687] (36
bytes)<br>
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: no IKE
config found for 192.168.111.16...172.56.42.34, sending
NO_PROPOSAL_CHOSEN<br>
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]:
generating IKE_SA_INIT response 0 [ N(NO_PROP) ]<br>
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: sending
packet: from 192.168.1.16[500] to 172.56.42.34[45687] (36 bytes)<br>
<br>
<br>
<br>
# iptables-save<br>
# Generated by iptables-save v1.4.21 on Sun Mar 18 16:16:59 2018<br>
*mangle<br>
:PREROUTING ACCEPT [67734:7451963]<br>
:INPUT ACCEPT [67734:7451963]<br>
:FORWARD ACCEPT [0:0]<br>
:OUTPUT ACCEPT [53017:5165171]<br>
:POSTROUTING ACCEPT [53017:5165171]<br>
:tcfor - [0:0]<br>
:tcin - [0:0]<br>
:tcout - [0:0]<br>
:tcpost - [0:0]<br>
:tcpre - [0:0]<br>
-A PREROUTING -j tcpre<br>
-A INPUT -j tcin<br>
-A FORWARD -j MARK --set-xmark 0x0/0xff<br>
-A FORWARD -j tcfor<br>
-A OUTPUT -j tcout<br>
-A POSTROUTING -j tcpost<br>
COMMIT<br>
# Completed on Sun Mar 18 16:16:59 2018<br>
# Generated by iptables-save v1.4.21 on Sun Mar 18 16:16:59 2018<br>
*nat<br>
:PREROUTING ACCEPT [8165:1316953]<br>
:INPUT ACCEPT [32:14356]<br>
:OUTPUT ACCEPT [9748:486535]<br>
:POSTROUTING ACCEPT [4:178]<br>
:eth0_masq - [0:0]<br>
-A POSTROUTING -o eth0 -j eth0_masq<br>
-A eth0_masq -s 192.168.111.0/24 -m policy --dir out --pol none -j
MASQUERADE<br>
COMMIT<br>
# Completed on Sun Mar 18 16:16:59 2018<br>
# Generated by iptables-save v1.4.21 on Sun Mar 18 16:16:59 2018<br>
*raw<br>
:PREROUTING ACCEPT [67734:7451963]<br>
:OUTPUT ACCEPT [53017:5165171]<br>
-A PREROUTING -p udp -m udp --dport 10080 -j CT --helper amanda<br>
-A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp<br>
-A PREROUTING -p udp -m udp --dport 1719 -j CT --helper RAS<br>
-A PREROUTING -p tcp -m tcp --dport 1720 -j CT --helper Q.931<br>
-A PREROUTING -p tcp -m tcp --dport 6667 -j CT --helper irc<br>
-A PREROUTING -p udp -m udp --dport 137 -j CT --helper netbios-ns<br>
-A PREROUTING -p tcp -m tcp --dport 1723 -j CT --helper pptp<br>
-A PREROUTING -p tcp -m tcp --dport 6566 -j CT --helper sane<br>
-A PREROUTING -p udp -m udp --dport 5060 -j CT --helper sip<br>
-A PREROUTING -p udp -m udp --dport 161 -j CT --helper snmp<br>
-A PREROUTING -p udp -m udp --dport 69 -j CT --helper tftp<br>
-A OUTPUT -p udp -m udp --dport 10080 -j CT --helper amanda<br>
-A OUTPUT -p tcp -m tcp --dport 21 -j CT --helper ftp<br>
-A OUTPUT -p udp -m udp --dport 1719 -j CT --helper RAS<br>
-A OUTPUT -p tcp -m tcp --dport 1720 -j CT --helper Q.931<br>
-A OUTPUT -p tcp -m tcp --dport 6667 -j CT --helper irc<br>
-A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns<br>
-A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp<br>
-A OUTPUT -p tcp -m tcp --dport 6566 -j CT --helper sane<br>
-A OUTPUT -p udp -m udp --dport 5060 -j CT --helper sip<br>
-A OUTPUT -p udp -m udp --dport 161 -j CT --helper snmp<br>
-A OUTPUT -p udp -m udp --dport 69 -j CT --helper tftp<br>
COMMIT<br>
# Completed on Sun Mar 18 16:16:59 2018<br>
# Generated by iptables-save v1.4.21 on Sun Mar 18 16:16:59 2018<br>
*filter<br>
:INPUT DROP [0:0]<br>
:FORWARD DROP [0:0]<br>
:OUTPUT DROP [0:0]<br>
:Drop - [0:0]<br>
:Reject - [0:0]<br>
:^fw-net - [0:0]<br>
:^net-fw - [0:0]<br>
:dynamic - [0:0]<br>
:eth0_fwd - [0:0]<br>
:eth0_in - [0:0]<br>
:eth0_out - [0:0]<br>
:fw-net - [0:0]<br>
:fw-vpn - [0:0]<br>
:logdrop - [0:0]<br>
:logflags - [0:0]<br>
:logreject - [0:0]<br>
:net-fw - [0:0]<br>
:net-vpn - [0:0]<br>
:net_frwd - [0:0]<br>
:reject - [0:0]<br>
:sha-lh-0000b76ab76dee8fd100 - [0:0]<br>
:sha-rh-c015b4228a3ba078c43d - [0:0]<br>
:shorewall - [0:0]<br>
:tcpflags - [0:0]<br>
:vpn-fw - [0:0]<br>
:vpn-net - [0:0]<br>
:vpn_frwd - [0:0]<br>
:~log0 - [0:0]<br>
-A INPUT -i eth0 -j eth0_in<br>
-A INPUT -i lo -j ACCEPT<br>
-A INPUT -j Reject<br>
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
--log-uid<br>
-A INPUT -g reject<br>
-A FORWARD -i eth0 -j eth0_fwd<br>
-A FORWARD -j Reject<br>
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:"
--log-level 6 --log-uid<br>
-A FORWARD -g reject<br>
-A OUTPUT -o eth0 -j eth0_out<br>
-A OUTPUT -o lo -j ACCEPT<br>
-A OUTPUT -j Reject<br>
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level
6 --log-uid<br>
-A OUTPUT -g reject<br>
-A Drop<br>
-A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed
ICMP types" -j ACCEPT<br>
-A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed
ICMP types" -j ACCEPT<br>
-A Drop -m addrtype --dst-type BROADCAST -j DROP<br>
-A Drop -m addrtype --dst-type ANYCAST -j DROP<br>
-A Drop -m addrtype --dst-type MULTICAST -j DROP<br>
-A Drop -m conntrack --ctstate INVALID -j DROP<br>
-A Drop -p udp -m multiport --dports 135,445 -m comment --comment
SMB -j DROP<br>
-A Drop -p udp -m udp --dport 137:139 -m comment --comment SMB -j
DROP<br>
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment
--comment SMB -j DROP<br>
-A Drop -p tcp -m multiport --dports 135,139,445 -m comment
--comment SMB -j DROP<br>
-A Drop -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP<br>
-A Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP<br>
-A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS
Replies" -j DROP<br>
-A Reject<br>
-A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment
"Needed ICMP types" -j ACCEPT<br>
-A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment
"Needed ICMP types" -j ACCEPT<br>
-A Reject -m addrtype --dst-type BROADCAST -j DROP<br>
-A Reject -m addrtype --dst-type ANYCAST -j DROP<br>
-A Reject -m addrtype --dst-type MULTICAST -j DROP<br>
-A Reject -m conntrack --ctstate INVALID -j DROP<br>
-A Reject -p udp -m multiport --dports 135,445 -m comment --comment
SMB -g reject<br>
-A Reject -p udp -m udp --dport 137:139 -m comment --comment SMB -g
reject<br>
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment
--comment SMB -g reject<br>
-A Reject -p tcp -m multiport --dports 135,139,445 -m comment
--comment SMB -g reject<br>
-A Reject -p udp -m udp --dport 1900 -m comment --comment UPnP -j
DROP<br>
-A Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP<br>
-A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS
Replies" -j DROP<br>
-A ^fw-net -p tcp -m multiport --dports 25,110,843,8080 -m conntrack
--ctstate ESTABLISHED -j DROP<br>
-A ^fw-net -j ACCEPT<br>
-A ^net-fw -p tcp -m multiport --sports 25,110,843,8080 -m conntrack
--ctstate ESTABLISHED -j DROP<br>
-A ^net-fw -j ACCEPT<br>
-A eth0_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic<br>
-A eth0_fwd -p tcp -m policy --dir in --pol none -j tcpflags<br>
-A eth0_fwd -m policy --dir in --pol ipsec --mode transport -g
vpn_frwd<br>
-A eth0_fwd -m policy --dir in --pol none -j net_frwd<br>
-A eth0_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic<br>
-A eth0_in -p udp -m udp --dport 67:68 -j ACCEPT<br>
-A eth0_in -p tcp -m policy --dir in --pol none -j tcpflags<br>
-A eth0_in -m policy --dir in --pol none -j net-fw<br>
-A eth0_in -m policy --dir in --pol ipsec --mode transport -j vpn-fw<br>
-A eth0_out -p udp -m udp --dport 67:68 -j ACCEPT<br>
-A eth0_out -m policy --dir out --pol none -j fw-net<br>
-A eth0_out -m policy --dir out --pol ipsec --mode transport -j
fw-vpn<br>
-A fw-net -m conntrack --ctstate ESTABLISHED -j ^fw-net<br>
-A fw-net -m conntrack --ctstate RELATED -j ACCEPT<br>
-A fw-net -d 192.168.1.16/32 -p esp -j ACCEPT<br>
-A fw-net -d 192.168.1.16/32 -p udp -m udp --dport 500 -m conntrack
--ctstate NEW,UNTRACKED -j ACCEPT<br>
-A fw-net -p tcp -m multiport --dports 25,110,843,8080 -g ~log0<br>
-A fw-net -p tcp -m multiport --dports 21,990,9418,11371,80,443 -j
ACCEPT<br>
-A fw-net -d 192.168.1.10/32 -p udp -m multiport --dports 53,123 -j
ACCEPT<br>
-A fw-net -d 192.168.1.41/32 -p tcp -m tcp --dport 3480 -j ACCEPT<br>
-A fw-net -p tcp -m multiport --dports 2222,22 -j ACCEPT<br>
-A fw-net -p icmp -m icmp --icmp-type 8 -j ACCEPT<br>
-A fw-net -j Reject<br>
-A fw-net -j LOG --log-prefix "Shorewall:fw-net:REJECT:" --log-level
6 --log-uid<br>
-A fw-net -g reject<br>
-A fw-vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br>
-A fw-vpn -d 192.168.1.16/32 -p udp -m udp --dport 500 -m conntrack
--ctstate NEW,UNTRACKED -j ACCEPT<br>
-A fw-vpn -p icmp -m icmp --icmp-type 8 -j ACCEPT<br>
-A fw-vpn -j Reject<br>
-A fw-vpn -j LOG --log-prefix "Shorewall:fw-vpn:REJECT:" --log-level
6 --log-uid<br>
-A fw-vpn -g reject<br>
-A logdrop -j DROP<br>
-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:"
--log-level 6 --log-ip-options<br>
-A logflags -j DROP<br>
-A logreject -j reject<br>
-A net-fw -m conntrack --ctstate ESTABLISHED -j ^net-fw<br>
-A net-fw -m conntrack --ctstate RELATED -j ACCEPT<br>
-A net-fw -s 192.168.1.16/32 -p esp -j ACCEPT<br>
-A net-fw -s 192.168.1.16/32 -p udp -m udp --dport 500 -m conntrack
--ctstate NEW,UNTRACKED -j ACCEPT<br>
-A net-fw -p tcp -m conntrack --ctstate INVALID -j DROP<br>
-A net-fw -p udp -m conntrack --ctstate INVALID -j DROP<br>
-A net-fw -p udp -m multiport --dports 500,4500 -j ACCEPT<br>
-A net-fw -s 192.168.1.2/32 -p tcp -m tcp --dport 8123 -j ACCEPT<br>
-A net-fw -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT<br>
-A net-fw -p udp -m multiport --dports 500,4500,50500,54500 -j
ACCEPT<br>
-A net-fw -s 192.168.1.4/32 -p tcp -m tcp --dport 8734 -j ACCEPT<br>
-A net-fw -s 192.168.1.4/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT<br>
-A net-fw -j Drop<br>
-A net-fw -j LOG --log-prefix "Shorewall:net-fw:DROP:" --log-level 6
--log-uid<br>
-A net-fw -j DROP<br>
-A net-vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br>
-A net-vpn -p tcp -m conntrack --ctstate INVALID -j DROP<br>
-A net-vpn -p udp -m conntrack --ctstate INVALID -j DROP<br>
-A net-vpn -j Drop<br>
-A net-vpn -j LOG --log-prefix "Shorewall:net-vpn:DROP:" --log-level
6 --log-uid<br>
-A net-vpn -j DROP<br>
-A net_frwd -o eth0 -m policy --dir out --pol ipsec --mode transport
-j net-vpn<br>
-A reject -m addrtype --src-type BROADCAST -j DROP<br>
-A reject -s 224.0.0.0/4 -j DROP<br>
-A reject -p igmp -j DROP<br>
-A reject -p tcp -j REJECT --reject-with tcp-reset<br>
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable<br>
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable<br>
-A reject -j REJECT --reject-with icmp-host-prohibited<br>
-A shorewall -m recent --set --name %CURRENTTIME --mask
255.255.255.255 --rsource<br>
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -g logflags<br>
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
-g logflags<br>
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags<br>
-A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g logflags<br>
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags<br>
-A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g
logflags<br>
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN
-g logflags<br>
-A vpn-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br>
-A vpn-fw -s 192.168.1.16/32 -p udp -m udp --dport 500 -m conntrack
--ctstate NEW,UNTRACKED -j ACCEPT<br>
-A vpn-fw -p icmp -m icmp --icmp-type 8 -j ACCEPT<br>
-A vpn-fw -j Drop<br>
-A vpn-fw -j LOG --log-prefix "Shorewall:vpn-fw:DROP:" --log-level 6
--log-uid<br>
-A vpn-fw -j DROP<br>
-A vpn-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br>
-A vpn-net -j Drop<br>
-A vpn-net -j LOG --log-prefix "Shorewall:vpn-net:DROP:" --log-level
6 --log-uid<br>
-A vpn-net -j DROP<br>
-A vpn_frwd -o eth0 -m policy --dir out --pol none -j vpn-net<br>
-A ~log0 -j LOG --log-prefix "Shorewall:fw-net:ACCEPT:" --log-level
6 --log-uid<br>
-A ~log0 -j ACCEPT<br>
COMMIT<br>
# Completed on Sun Mar 18 16:16:59 2018<br>
<br>
<br>
# ip route show table all<br>
default via 192.168.1.1 dev eth0 <br>
169.254.0.0/16 dev eth0 scope link metric 1002 <br>
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.16 <br>
broadcast 127.0.0.0 dev lo table local proto kernel scope link src
127.0.0.1 <br>
local 127.0.0.0/8 dev lo table local proto kernel scope host src
127.0.0.1 <br>
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1 <br>
broadcast 127.255.255.255 dev lo table local proto kernel scope link
src 127.0.0.1 <br>
broadcast 192.168.1.0 dev eth0 table local proto kernel scope link
src 192.168.1.16 <br>
local 192.168.1.16 dev eth0 table local proto kernel scope host src
192.168.1.16 <br>
broadcast 192.168.1.255 dev eth0 table local proto kernel scope link
src 192.168.1.16 <br>
unreachable ::/96 dev lo metric 1024 error -113 <br>
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 <br>
unreachable 2002:a00::/24 dev lo metric 1024 error -113 <br>
unreachable 2002:7f00::/24 dev lo metric 1024 error -113 <br>
unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 <br>
unreachable 2002:ac10::/28 dev lo metric 1024 error -113 <br>
unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 <br>
unreachable 2002:e000::/19 dev lo metric 1024 error -113 <br>
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 <br>
fe80::/64 dev eth0 proto kernel metric 256 <br>
fe80::/64 dev ipsec0 proto kernel metric 256 <br>
local ::1 dev lo table local proto kernel metric 0 <br>
local fe80::22e9:6b12:6b8e:b558 dev lo table local proto kernel
metric 0 <br>
local fe80::5054:ff:fec0:9330 dev lo table local proto kernel metric
0 <br>
ff00::/8 dev eth0 table local metric 256 <br>
ff00::/8 dev ipsec0 table local metric 256<br>
<br>
<br>
# ip address<br>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
UNKNOWN qlen 1000<br>
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br>
inet 127.0.0.1/8 scope host lo<br>
valid_lft forever preferred_lft forever<br>
inet6 ::1/128 scope host <br>
valid_lft forever preferred_lft forever<br>
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UP qlen 1000<br>
link/ether 52:54:00:c0:23:30 brd ff:ff:ff:ff:ff:ff<br>
inet 192.168.1.16/24 brd 192.168.1.255 scope global eth0<br>
valid_lft forever preferred_lft forever<br>
inet6 fe80::5054:ff:fec0:9330/64 scope link <br>
valid_lft forever preferred_lft forever<br>
24: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400
qdisc pfifo_fast state UNKNOWN qlen 500<br>
link/none <br>
inet6 fe80::22e9:6b12:6b8e:b558/64 scope link flags 800 <br>
valid_lft forever preferred_lft forever<br>
<br>
<br>
<br>
</body>
</html>