<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000066" bgcolor="#FFFFFF">
<p>"<i>no IKE config found for 192.168.1.16...172.56.42.194, sending
NO_PROPOSAL_CHOSEN</i>"<br>
</p>
<p>This is a difficult error, because no clue to the reason is given
no matter the loglevel. And it is starting to become a scary one
for me as it seems so easy to get with swanctl. I have the
simplest possible configuration on the responder and the
prescribed setup of the Android app, and no dice. <br>
</p>
<p>And I am virtually alone in trying to use swanctl as there is
only one howto by a user out there (in the Indian Ocean,
ostensibly), and it is a very simple one using PSK, whereas there
are many user howtos for ipsec.conf.</p>
<p>Noel has a difficult and unrewarding task to put up with us and I
for one am grateful for his many efforts. But is there only one
Noel? Does noone else know the newer workings of Strongswan? Why
must he do all the heavy lifting?<br>
</p>
<br>
<br>
<div class="moz-cite-prefix">On 03/18/2018 05:08 PM, Info wrote:<br>
</div>
<blockquote type="cite"
cite="mid:2283f989-eb08-245a-a213-c87558eedcd8@quantum-equities.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<p>On the phone in the Android app:</p>
<p>Server: quantum-equities.com</p>
<p>VPN Type: IKE2 certificate</p>
<p>User certificate: mars2</p>
<p>User ID: default (CN=mars.darkmatter.org,O=Quantum,C=US)<br>
</p>
<p>CA Cert: Select automatically</p>
<p>Profile name: cygnus<br>
</p>
<p>Advanced|Server ID: quantum-equities.com</p>
<p>Block IPV6 traffic not destined for the VPN.</p>
<p>The CA cert is in CA Certs under Imported.</p>
<p>The phone's key and cert are in the VPN definition, and current
IP is 192.0.0.4 -- Idk why it's showing connecting from
172.56.42.34, that must be TMobile jazz. It also has an IPV6 IP
but I have IPV6 turned off in the LAN with sysctl.</p>
<p>In the IPSec gateway I don't have anything in the Shorewall
firewall set for device ipsec0; I've read that the kernel is
definitely no longer supposed to generate that... but I always
have it when the daemon is running. Doesn't make sense.<br>
</p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 03/18/2018 04:52 PM, Info wrote:<br>
</div>
<blockquote type="cite"
cite="mid:c9168d04-466b-6b0f-25f9-90c95dc91746@quantum-equities.com">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
This post is formatted as per <a moz-do-not-send="true"
href="https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests">here</a>.<br>
<br>
I'm using the bare minimum swanctl.conf and I've regenerated all
my keys and certs again. For the IPSec gateway, which is a
virtual machine in the LAN DNATted to by the LAN gateway, I've
made its cert with --san
quantum-equities.com,cygnus.darkmatter.org, because the LAN
gateway is known outside as quantum-equities.com and the IPSec
gateway is known in the LAN as cygnus.darkmatter.org. My
assumption is it has to be resolvable in both worlds.<br>
<br>
I also tried to set --dn "C=US, O=Quantum,
CN=quantum-equities.com,cygnus.darkmatter.org" -- but strongswan
pki wasn't having it so I had to settle for just
quantum-equities.com.<br>
<br>
For the phone's key and cert, when it is the initiator, I know
of no way it can prove it is mars.darkmatter.org, other than
what the cert says. It could be at any IP so I don't see how it
can prove its identity? The IPSec gateway resolves to
quantum-equities.com so it can prove its identity.<br>
<br>
Also I would like to set the phone and other remotes to
'initiate only' but there doesn't seem to be a way in the
Android app. And for other remote machines there no longer
seems to be that option.<br>
<br>
Log levels are as per instructions and charon.log is attached.<br>
<br>
strongswan.conf<br>
charon {<br>
load_modular = yes<br>
plugins {<br>
include strongswan.d/charon/*.conf<br>
}<br>
}<br>
<br>
include strongswan.d/*.conf<br>
<br>
<br>
swanctl.conf<br>
ikev2-pubkey {<br>
version = 2<br>
rekey_time = 0s<br>
local {<br>
cert = cygnus-Cert.pem<br>
id = cygnus.darkmatter.org<br>
}<br>
remote {<br>
# defaults are fine.<br>
}<br>
children {<br>
ikev2-pubkey {<br>
local_ts = 192.168.1.0/24<br>
mode = transport<br>
}<br>
}<br>
}<br>
<br>
<br>
charon.conf<br>
charon {<br>
<br>
# two defined file loggers<br>
filelog {<br>
/var/log/charon.log {<br>
time_format = %a, %Y-%m-%d %R<br>
ike_name = yes<br>
append = no<br>
default = 2<br>
flush_line = yes<br>
}<br>
stderr {<br>
mgr = 0<br>
net = 1<br>
enc = 1<br>
asn = 1<br>
job = 1<br>
knl = 1<br>
}<br>
}<br>
<br>
<br>
# swanctl -L<br>
# swanctl -l<br>
(no response, for some reason)<br>
<br>
# systemctl status strongswan-swanctl<br>
● strongswan-swanctl.service - strongSwan IPsec IKEv1/IKEv2
daemon using swanctl<br>
Loaded: loaded
(/usr/lib/systemd/system/strongswan-swanctl.service; enabled;
vendor preset: disabled)<br>
Active: active (running) since Sun 2018-03-18 12:14:37 PDT;
3h 58min ago<br>
Process: 59439 ExecStartPost=/usr/sbin/swanctl --load-all
--noprompt (code=exited, status=0/SUCCESS)<br>
Main PID: 59419 (charon-systemd)<br>
Status: "charon-systemd running, strongSwan 5.5.3, Linux
4.13.0-1.el7.elrepo.x86_64, x86_64"<br>
CGroup: /system.slice/strongswan-swanctl.service<br>
└─59419 /usr/sbin/charon-systemd<br>
<br>
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]:
received packet: from 172.56.42.34[45687] to 192.168.1.16[500]
(704 bytes)<br>
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]:
10[NET] received packet: from 172.56.42.34[45687] to
192.168.1.16[500] (704 bytes)<br>
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]:
parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]<br>
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]:
10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]<br>
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]:
10[IKE] no IKE config found for 192.168.1.16...172.56.42.34,
sending NO_PROPOSAL_CHOSEN<br>
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]:
10[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]<br>
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]:
10[NET] sending packet: from 192.168.111.16[500] to
172.56.42.34[45687] (36 bytes)<br>
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: no
IKE config found for 192.168.111.16...172.56.42.34, sending
NO_PROPOSAL_CHOSEN<br>
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]:
generating IKE_SA_INIT response 0 [ N(NO_PROP) ]<br>
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]:
sending packet: from 192.168.1.16[500] to 172.56.42.34[45687]
(36 bytes)<br>
<br>
<br>
<br>
# iptables-save<br>
# Generated by iptables-save v1.4.21 on Sun Mar 18 16:16:59 2018<br>
*mangle<br>
:PREROUTING ACCEPT [67734:7451963]<br>
:INPUT ACCEPT [67734:7451963]<br>
:FORWARD ACCEPT [0:0]<br>
:OUTPUT ACCEPT [53017:5165171]<br>
:POSTROUTING ACCEPT [53017:5165171]<br>
:tcfor - [0:0]<br>
:tcin - [0:0]<br>
:tcout - [0:0]<br>
:tcpost - [0:0]<br>
:tcpre - [0:0]<br>
-A PREROUTING -j tcpre<br>
-A INPUT -j tcin<br>
-A FORWARD -j MARK --set-xmark 0x0/0xff<br>
-A FORWARD -j tcfor<br>
-A OUTPUT -j tcout<br>
-A POSTROUTING -j tcpost<br>
COMMIT<br>
# Completed on Sun Mar 18 16:16:59 2018<br>
# Generated by iptables-save v1.4.21 on Sun Mar 18 16:16:59 2018<br>
*nat<br>
:PREROUTING ACCEPT [8165:1316953]<br>
:INPUT ACCEPT [32:14356]<br>
:OUTPUT ACCEPT [9748:486535]<br>
:POSTROUTING ACCEPT [4:178]<br>
:eth0_masq - [0:0]<br>
-A POSTROUTING -o eth0 -j eth0_masq<br>
-A eth0_masq -s 192.168.111.0/24 -m policy --dir out --pol none
-j MASQUERADE<br>
COMMIT<br>
# Completed on Sun Mar 18 16:16:59 2018<br>
# Generated by iptables-save v1.4.21 on Sun Mar 18 16:16:59 2018<br>
*raw<br>
:PREROUTING ACCEPT [67734:7451963]<br>
:OUTPUT ACCEPT [53017:5165171]<br>
-A PREROUTING -p udp -m udp --dport 10080 -j CT --helper amanda<br>
-A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp<br>
-A PREROUTING -p udp -m udp --dport 1719 -j CT --helper RAS<br>
-A PREROUTING -p tcp -m tcp --dport 1720 -j CT --helper Q.931<br>
-A PREROUTING -p tcp -m tcp --dport 6667 -j CT --helper irc<br>
-A PREROUTING -p udp -m udp --dport 137 -j CT --helper
netbios-ns<br>
-A PREROUTING -p tcp -m tcp --dport 1723 -j CT --helper pptp<br>
-A PREROUTING -p tcp -m tcp --dport 6566 -j CT --helper sane<br>
-A PREROUTING -p udp -m udp --dport 5060 -j CT --helper sip<br>
-A PREROUTING -p udp -m udp --dport 161 -j CT --helper snmp<br>
-A PREROUTING -p udp -m udp --dport 69 -j CT --helper tftp<br>
-A OUTPUT -p udp -m udp --dport 10080 -j CT --helper amanda<br>
-A OUTPUT -p tcp -m tcp --dport 21 -j CT --helper ftp<br>
-A OUTPUT -p udp -m udp --dport 1719 -j CT --helper RAS<br>
-A OUTPUT -p tcp -m tcp --dport 1720 -j CT --helper Q.931<br>
-A OUTPUT -p tcp -m tcp --dport 6667 -j CT --helper irc<br>
-A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns<br>
-A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp<br>
-A OUTPUT -p tcp -m tcp --dport 6566 -j CT --helper sane<br>
-A OUTPUT -p udp -m udp --dport 5060 -j CT --helper sip<br>
-A OUTPUT -p udp -m udp --dport 161 -j CT --helper snmp<br>
-A OUTPUT -p udp -m udp --dport 69 -j CT --helper tftp<br>
COMMIT<br>
# Completed on Sun Mar 18 16:16:59 2018<br>
# Generated by iptables-save v1.4.21 on Sun Mar 18 16:16:59 2018<br>
*filter<br>
:INPUT DROP [0:0]<br>
:FORWARD DROP [0:0]<br>
:OUTPUT DROP [0:0]<br>
:Drop - [0:0]<br>
:Reject - [0:0]<br>
:^fw-net - [0:0]<br>
:^net-fw - [0:0]<br>
:dynamic - [0:0]<br>
:eth0_fwd - [0:0]<br>
:eth0_in - [0:0]<br>
:eth0_out - [0:0]<br>
:fw-net - [0:0]<br>
:fw-vpn - [0:0]<br>
:logdrop - [0:0]<br>
:logflags - [0:0]<br>
:logreject - [0:0]<br>
:net-fw - [0:0]<br>
:net-vpn - [0:0]<br>
:net_frwd - [0:0]<br>
:reject - [0:0]<br>
:sha-lh-0000b76ab76dee8fd100 - [0:0]<br>
:sha-rh-c015b4228a3ba078c43d - [0:0]<br>
:shorewall - [0:0]<br>
:tcpflags - [0:0]<br>
:vpn-fw - [0:0]<br>
:vpn-net - [0:0]<br>
:vpn_frwd - [0:0]<br>
:~log0 - [0:0]<br>
-A INPUT -i eth0 -j eth0_in<br>
-A INPUT -i lo -j ACCEPT<br>
-A INPUT -j Reject<br>
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:"
--log-level 6 --log-uid<br>
-A INPUT -g reject<br>
-A FORWARD -i eth0 -j eth0_fwd<br>
-A FORWARD -j Reject<br>
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:"
--log-level 6 --log-uid<br>
-A FORWARD -g reject<br>
-A OUTPUT -o eth0 -j eth0_out<br>
-A OUTPUT -o lo -j ACCEPT<br>
-A OUTPUT -j Reject<br>
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:"
--log-level 6 --log-uid<br>
-A OUTPUT -g reject<br>
-A Drop<br>
-A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment
"Needed ICMP types" -j ACCEPT<br>
-A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment
"Needed ICMP types" -j ACCEPT<br>
-A Drop -m addrtype --dst-type BROADCAST -j DROP<br>
-A Drop -m addrtype --dst-type ANYCAST -j DROP<br>
-A Drop -m addrtype --dst-type MULTICAST -j DROP<br>
-A Drop -m conntrack --ctstate INVALID -j DROP<br>
-A Drop -p udp -m multiport --dports 135,445 -m comment
--comment SMB -j DROP<br>
-A Drop -p udp -m udp --dport 137:139 -m comment --comment SMB
-j DROP<br>
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment
--comment SMB -j DROP<br>
-A Drop -p tcp -m multiport --dports 135,139,445 -m comment
--comment SMB -j DROP<br>
-A Drop -p udp -m udp --dport 1900 -m comment --comment UPnP -j
DROP<br>
-A Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP<br>
-A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS
Replies" -j DROP<br>
-A Reject<br>
-A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment
"Needed ICMP types" -j ACCEPT<br>
-A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment
"Needed ICMP types" -j ACCEPT<br>
-A Reject -m addrtype --dst-type BROADCAST -j DROP<br>
-A Reject -m addrtype --dst-type ANYCAST -j DROP<br>
-A Reject -m addrtype --dst-type MULTICAST -j DROP<br>
-A Reject -m conntrack --ctstate INVALID -j DROP<br>
-A Reject -p udp -m multiport --dports 135,445 -m comment
--comment SMB -g reject<br>
-A Reject -p udp -m udp --dport 137:139 -m comment --comment SMB
-g reject<br>
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m
comment --comment SMB -g reject<br>
-A Reject -p tcp -m multiport --dports 135,139,445 -m comment
--comment SMB -g reject<br>
-A Reject -p udp -m udp --dport 1900 -m comment --comment UPnP
-j DROP<br>
-A Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j
DROP<br>
-A Reject -p udp -m udp --sport 53 -m comment --comment "Late
DNS Replies" -j DROP<br>
-A ^fw-net -p tcp -m multiport --dports 25,110,843,8080 -m
conntrack --ctstate ESTABLISHED -j DROP<br>
-A ^fw-net -j ACCEPT<br>
-A ^net-fw -p tcp -m multiport --sports 25,110,843,8080 -m
conntrack --ctstate ESTABLISHED -j DROP<br>
-A ^net-fw -j ACCEPT<br>
-A eth0_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j
dynamic<br>
-A eth0_fwd -p tcp -m policy --dir in --pol none -j tcpflags<br>
-A eth0_fwd -m policy --dir in --pol ipsec --mode transport -g
vpn_frwd<br>
-A eth0_fwd -m policy --dir in --pol none -j net_frwd<br>
-A eth0_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j
dynamic<br>
-A eth0_in -p udp -m udp --dport 67:68 -j ACCEPT<br>
-A eth0_in -p tcp -m policy --dir in --pol none -j tcpflags<br>
-A eth0_in -m policy --dir in --pol none -j net-fw<br>
-A eth0_in -m policy --dir in --pol ipsec --mode transport -j
vpn-fw<br>
-A eth0_out -p udp -m udp --dport 67:68 -j ACCEPT<br>
-A eth0_out -m policy --dir out --pol none -j fw-net<br>
-A eth0_out -m policy --dir out --pol ipsec --mode transport -j
fw-vpn<br>
-A fw-net -m conntrack --ctstate ESTABLISHED -j ^fw-net<br>
-A fw-net -m conntrack --ctstate RELATED -j ACCEPT<br>
-A fw-net -d 192.168.1.16/32 -p esp -j ACCEPT<br>
-A fw-net -d 192.168.1.16/32 -p udp -m udp --dport 500 -m
conntrack --ctstate NEW,UNTRACKED -j ACCEPT<br>
-A fw-net -p tcp -m multiport --dports 25,110,843,8080 -g ~log0<br>
-A fw-net -p tcp -m multiport --dports 21,990,9418,11371,80,443
-j ACCEPT<br>
-A fw-net -d 192.168.1.10/32 -p udp -m multiport --dports 53,123
-j ACCEPT<br>
-A fw-net -d 192.168.1.41/32 -p tcp -m tcp --dport 3480 -j
ACCEPT<br>
-A fw-net -p tcp -m multiport --dports 2222,22 -j ACCEPT<br>
-A fw-net -p icmp -m icmp --icmp-type 8 -j ACCEPT<br>
-A fw-net -j Reject<br>
-A fw-net -j LOG --log-prefix "Shorewall:fw-net:REJECT:"
--log-level 6 --log-uid<br>
-A fw-net -g reject<br>
-A fw-vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br>
-A fw-vpn -d 192.168.1.16/32 -p udp -m udp --dport 500 -m
conntrack --ctstate NEW,UNTRACKED -j ACCEPT<br>
-A fw-vpn -p icmp -m icmp --icmp-type 8 -j ACCEPT<br>
-A fw-vpn -j Reject<br>
-A fw-vpn -j LOG --log-prefix "Shorewall:fw-vpn:REJECT:"
--log-level 6 --log-uid<br>
-A fw-vpn -g reject<br>
-A logdrop -j DROP<br>
-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:"
--log-level 6 --log-ip-options<br>
-A logflags -j DROP<br>
-A logreject -j reject<br>
-A net-fw -m conntrack --ctstate ESTABLISHED -j ^net-fw<br>
-A net-fw -m conntrack --ctstate RELATED -j ACCEPT<br>
-A net-fw -s 192.168.1.16/32 -p esp -j ACCEPT<br>
-A net-fw -s 192.168.1.16/32 -p udp -m udp --dport 500 -m
conntrack --ctstate NEW,UNTRACKED -j ACCEPT<br>
-A net-fw -p tcp -m conntrack --ctstate INVALID -j DROP<br>
-A net-fw -p udp -m conntrack --ctstate INVALID -j DROP<br>
-A net-fw -p udp -m multiport --dports 500,4500 -j ACCEPT<br>
-A net-fw -s 192.168.1.2/32 -p tcp -m tcp --dport 8123 -j ACCEPT<br>
-A net-fw -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT<br>
-A net-fw -p udp -m multiport --dports 500,4500,50500,54500 -j
ACCEPT<br>
-A net-fw -s 192.168.1.4/32 -p tcp -m tcp --dport 8734 -j ACCEPT<br>
-A net-fw -s 192.168.1.4/32 -p icmp -m icmp --icmp-type 8 -j
ACCEPT<br>
-A net-fw -j Drop<br>
-A net-fw -j LOG --log-prefix "Shorewall:net-fw:DROP:"
--log-level 6 --log-uid<br>
-A net-fw -j DROP<br>
-A net-vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br>
-A net-vpn -p tcp -m conntrack --ctstate INVALID -j DROP<br>
-A net-vpn -p udp -m conntrack --ctstate INVALID -j DROP<br>
-A net-vpn -j Drop<br>
-A net-vpn -j LOG --log-prefix "Shorewall:net-vpn:DROP:"
--log-level 6 --log-uid<br>
-A net-vpn -j DROP<br>
-A net_frwd -o eth0 -m policy --dir out --pol ipsec --mode
transport -j net-vpn<br>
-A reject -m addrtype --src-type BROADCAST -j DROP<br>
-A reject -s 224.0.0.0/4 -j DROP<br>
-A reject -p igmp -j DROP<br>
-A reject -p tcp -j REJECT --reject-with tcp-reset<br>
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable<br>
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable<br>
-A reject -j REJECT --reject-with icmp-host-prohibited<br>
-A shorewall -m recent --set --name %CURRENTTIME --mask
255.255.255.255 --rsource<br>
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -g logflags<br>
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
NONE -g logflags<br>
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g
logflags<br>
-A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g
logflags<br>
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g
logflags<br>
-A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g
logflags<br>
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK
SYN -g logflags<br>
-A vpn-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br>
-A vpn-fw -s 192.168.1.16/32 -p udp -m udp --dport 500 -m
conntrack --ctstate NEW,UNTRACKED -j ACCEPT<br>
-A vpn-fw -p icmp -m icmp --icmp-type 8 -j ACCEPT<br>
-A vpn-fw -j Drop<br>
-A vpn-fw -j LOG --log-prefix "Shorewall:vpn-fw:DROP:"
--log-level 6 --log-uid<br>
-A vpn-fw -j DROP<br>
-A vpn-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br>
-A vpn-net -j Drop<br>
-A vpn-net -j LOG --log-prefix "Shorewall:vpn-net:DROP:"
--log-level 6 --log-uid<br>
-A vpn-net -j DROP<br>
-A vpn_frwd -o eth0 -m policy --dir out --pol none -j vpn-net<br>
-A ~log0 -j LOG --log-prefix "Shorewall:fw-net:ACCEPT:"
--log-level 6 --log-uid<br>
-A ~log0 -j ACCEPT<br>
COMMIT<br>
# Completed on Sun Mar 18 16:16:59 2018<br>
<br>
<br>
# ip route show table all<br>
default via 192.168.1.1 dev eth0 <br>
169.254.0.0/16 dev eth0 scope link metric 1002 <br>
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.16
<br>
broadcast 127.0.0.0 dev lo table local proto kernel scope link
src 127.0.0.1 <br>
local 127.0.0.0/8 dev lo table local proto kernel scope host src
127.0.0.1 <br>
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1 <br>
broadcast 127.255.255.255 dev lo table local proto kernel scope
link src 127.0.0.1 <br>
broadcast 192.168.1.0 dev eth0 table local proto kernel scope
link src 192.168.1.16 <br>
local 192.168.1.16 dev eth0 table local proto kernel scope host
src 192.168.1.16 <br>
broadcast 192.168.1.255 dev eth0 table local proto kernel scope
link src 192.168.1.16 <br>
unreachable ::/96 dev lo metric 1024 error -113 <br>
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 <br>
unreachable 2002:a00::/24 dev lo metric 1024 error -113 <br>
unreachable 2002:7f00::/24 dev lo metric 1024 error -113 <br>
unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 <br>
unreachable 2002:ac10::/28 dev lo metric 1024 error -113 <br>
unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 <br>
unreachable 2002:e000::/19 dev lo metric 1024 error -113 <br>
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 <br>
fe80::/64 dev eth0 proto kernel metric 256 <br>
fe80::/64 dev ipsec0 proto kernel metric 256 <br>
local ::1 dev lo table local proto kernel metric 0 <br>
local fe80::22e9:6b12:6b8e:b558 dev lo table local proto kernel
metric 0 <br>
local fe80::5054:ff:fec0:9330 dev lo table local proto kernel
metric 0 <br>
ff00::/8 dev eth0 table local metric 256 <br>
ff00::/8 dev ipsec0 table local metric 256<br>
<br>
<br>
# ip address<br>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
state UNKNOWN qlen 1000<br>
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br>
inet 127.0.0.1/8 scope host lo<br>
valid_lft forever preferred_lft forever<br>
inet6 ::1/128 scope host <br>
valid_lft forever preferred_lft forever<br>
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UP qlen 1000<br>
link/ether 52:54:00:c0:23:30 brd ff:ff:ff:ff:ff:ff<br>
inet 192.168.1.16/24 brd 192.168.1.255 scope global eth0<br>
valid_lft forever preferred_lft forever<br>
inet6 fe80::5054:ff:fec0:9330/64 scope link <br>
valid_lft forever preferred_lft forever<br>
24: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu
1400 qdisc pfifo_fast state UNKNOWN qlen 500<br>
link/none <br>
inet6 fe80::22e9:6b12:6b8e:b558/64 scope link flags 800 <br>
valid_lft forever preferred_lft forever<br>
<br>
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>