<div dir="ltr"><div dir="ltr">Hello, thanks for your reply. My apologies, please see firewall config below. Regarding the TS, it does define the two hosts I would like to connect over VPN. Currently I'm not trying to add networks; simply ping 172.16.20.24 from 172.31.18.117. I appreciate your help, matt<div><br></div><div>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"># Generated by iptables-save v1.4.21 on Wed Nov 27 11:22:57 2019</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">*filter</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">:INPUT ACCEPT [2199:206359]</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">:FORWARD ACCEPT [0:0]</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">:OUTPUT ACCEPT [2080:231588]</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">-A FORWARD -s <a href="http://172.16.20.24/32">172.16.20.24/32</a> -d <a href="http://172.31.18.117/32">172.31.18.117/32</a> -i eth0 -m policy --dir in --pol ipsec --reqid 14 --proto esp -j ACCEPT</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">-A FORWARD -s <a href="http://172.31.18.117/32">172.31.18.117/32</a> -d <a href="http://172.16.20.24/32">172.16.20.24/32</a> -o eth0 -m policy --dir out --pol ipsec --reqid 14 --proto esp -j ACCEPT</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">COMMIT</span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><br></p><p class="gmail-p1" style="margin:0px;font:11px Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">[root@ip-172-31-26-241 ec2-user]# ip xfrm pol</span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">src <a href="http://172.31.18.117/32">172.31.18.117/32</a> dst <a href="http://172.16.20.24/32">172.16.20.24/32</a><span class="gmail-Apple-converted-space"> </span></span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>dir out priority 367231 ptype main<span class="gmail-Apple-converted-space"> </span></span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>mark 0xe/0xffffffff</span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>tmpl src 172.31.26.241 dst 172.16.20.13</span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>proto esp spi 0xc41b426a reqid 14 mode tunnel</span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">src <a href="http://172.16.20.24/32">172.16.20.24/32</a> dst <a href="http://172.31.18.117/32">172.31.18.117/32</a><span class="gmail-Apple-converted-space"> </span></span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>dir fwd priority 367231 ptype main<span class="gmail-Apple-converted-space"> </span></span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>mark 0xe/0xffffffff</span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>tmpl src 172.16.20.13 dst 172.31.26.241</span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>proto esp reqid 14 mode tunnel</span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">src <a href="http://172.16.20.24/32">172.16.20.24/32</a> dst <a href="http://172.31.18.117/32">172.31.18.117/32</a><span class="gmail-Apple-converted-space"> </span></span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>dir in priority 367231 ptype main<span class="gmail-Apple-converted-space"> </span></span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>mark 0xe/0xffffffff</span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>tmpl src 172.16.20.13 dst 172.31.26.241</span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)">
</p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-tab-span" style="white-space:pre"> </span><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>proto esp reqid 14 mode tunnel</span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><br></span></p></div></div><div>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">Security Associations (1 up, 0 connecting):</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span>ec2test2[10]: ESTABLISHED 5 hours ago, 172.31.26.241[172.31.26.241]...172.16.20.13[172.16.20.13]</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span>ec2test2[10]: IKEv2 SPIs: 17e28b4e6d4717f3_i* d5c2d25c083280be_r, pre-shared key reauthentication in 2 hours</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span>ec2test2[10]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span>ec2test2{101}:<span class="gmail-Apple-converted-space"> </span>INSTALLED, TUNNEL, reqid 14, ESP in UDP SPIs: ccf32809_i c41b426a_o</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span>ec2test2{101}:<span class="gmail-Apple-converted-space"> </span>AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, rekeying in 4 minutes</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span>ec2test2{101}: <span class="gmail-Apple-converted-space"> </span><a href="http://172.31.18.117/32">172.31.18.117/32</a> === <a href="http://172.16.20.24/32">172.16.20.24/32</a></span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><br></span></p></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Nov 27, 2019 at 1:43 AM Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello Matt,<br>
<br>
> ec2test2{73}: <a href="http://172.31.18.117/32" rel="noreferrer" target="_blank">172.31.18.117/32</a> === <a href="http://172.16.20.24/32" rel="noreferrer" target="_blank">172.16.20.24/32</a><br>
Your TS only allows traffic between the IPs on the two hosts. To allow traffic between other subnets, they need to be included in the TS.<br>
<br>
Also, please use the exact commands as shown on the HelpRequests[1] page to get useful debugging data.<br>
iptables -L or -S isn't useful.<br>
<br>
Kind regards<br>
<br>
Noel<br>
<br>
[1] <a href="https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests" rel="noreferrer" target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests</a><br>
<br>
Am 26.11.19 um 16:46 schrieb Matt Frederick:<br>
> <br>
> Hi, I'm looking for some help with a VPN I have set up. This VPN connects two AWS VPCs, and is a learning opportunity for me, in preparation for a larger project next year.<br>
> <br>
> In this case, I have 4 computers, two being strongswan boxes, with two client machines. the layout is such:<br>
> <br>
> 172.16.20.24 <=> 172.16.20.13 <=> 172.31.26.241 <=> 172.31.18.117<br>
> <br>
> where 172.16.20.13 and 172.31.26.241 are strongswan boxes, with an IPSec tunnel between them. 172.16.20.24 and 172.16.20.13 can ping each other, and 172.31.26.241 and 172.31.18.117 can ping each other.<br>
> <br>
> 172.16.20.24 attempts to ping 172.31.18.117 over the tunnel.<br>
> <br>
> Currently, routing between the VPCs is limited to the strongswan boxes, to ensure that the client traffic traverses the tunnel.<br>
> <br>
> for this test, client machines are statically routing the target machine to the VPN machines, and when I ping from 18.117 to 20.24, I see the packet (twice in tcpdump) at 26.241, but it does not see traffic on the VPN, nor on the receiving side.<br>
> <br>
> thanks in advance, m<br>
> <br>
> All seems well, and the tunnels come up (conn ec2test2):<br>
> <br>
> Connections:<br>
> ec2test2: 172.31.26.241...172.16.20.13 IKEv2<br>
> ec2test2: local: [172.31.26.241] uses pre-shared key authentication<br>
> ec2test2: remote: [172.16.20.13] uses pre-shared key authentication<br>
> ec2test2: child: <a href="http://172.31.18.117/32" rel="noreferrer" target="_blank">172.31.18.117/32</a> <<a href="http://172.31.18.117/32" rel="noreferrer" target="_blank">http://172.31.18.117/32</a>> === <a href="http://172.16.20.24/32" rel="noreferrer" target="_blank">172.16.20.24/32</a> <<a href="http://172.16.20.24/32" rel="noreferrer" target="_blank">http://172.16.20.24/32</a>> TUNNEL<br>
> Security Associations (1 up, 0 connecting):<br>
> ec2test2[8]: ESTABLISHED 23 seconds ago, 172.31.26.241[172.31.26.241]...172.16.20.13[172.16.20.13]<br>
> ec2test2[8]: IKEv2 SPIs: e048424b128299d7_i* 5790cae7fadc96ff_r, pre-shared key reauthentication in 7 hours<br>
> ec2test2[8]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536<br>
> ec2test2{73}: INSTALLED, TUNNEL, reqid 12, ESP in UDP SPIs: c1ce842f_i cc636877_o<br>
> ec2test2{73}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 43 minutes<br>
> ec2test2{73}: <a href="http://172.31.18.117/32" rel="noreferrer" target="_blank">172.31.18.117/32</a> <<a href="http://172.31.18.117/32" rel="noreferrer" target="_blank">http://172.31.18.117/32</a>> === <a href="http://172.16.20.24/32" rel="noreferrer" target="_blank">172.16.20.24/32</a> <<a href="http://172.16.20.24/32" rel="noreferrer" target="_blank">http://172.16.20.24/32</a>><br>
> <br>
> ipsec.conf:<br>
> conn ec2test2<br>
> right=172.16.20.13<br>
> left=172.31.26.241<br>
> leftfirewall=yes<br>
> rightsubnet=<a href="http://172.16.20.24/32" rel="noreferrer" target="_blank">172.16.20.24/32</a> <<a href="http://172.16.20.24/32" rel="noreferrer" target="_blank">http://172.16.20.24/32</a>><br>
> leftsubnet=<a href="http://172.31.18.117/32" rel="noreferrer" target="_blank">172.31.18.117/32</a> <<a href="http://172.31.18.117/32" rel="noreferrer" target="_blank">http://172.31.18.117/32</a>><br>
> rightfirewall=yes<br>
> ike=aes256-sha1-modp1536!<br>
> keyexchange=ikev2<br>
> ikelifetime=28800s<br>
> esp=aes256-sha1-modp1536!<br>
> keylife=3600s<br>
> rekeymargin=540s<br>
> type=tunnel<br>
> compress=no<br>
> authby=secret<br>
> mark=%unique<br>
> auto=start<br>
> keyingtries=%forever<br>
> forceencaps=yes<br>
> mobike=no<br>
> <br>
> <br>
> firewall rules seem ok (they are added by strongswan):<br>
> [root@ip-172-31-26-241 ec2-user]# iptables -S<br>
> -P INPUT ACCEPT<br>
> -P FORWARD ACCEPT<br>
> -P OUTPUT ACCEPT<br>
> -A FORWARD -s <a href="http://172.16.20.24/32" rel="noreferrer" target="_blank">172.16.20.24/32</a> <<a href="http://172.16.20.24/32" rel="noreferrer" target="_blank">http://172.16.20.24/32</a>> -d <a href="http://172.31.18.117/32" rel="noreferrer" target="_blank">172.31.18.117/32</a> <<a href="http://172.31.18.117/32" rel="noreferrer" target="_blank">http://172.31.18.117/32</a>> -i eth0 -m policy --dir in --pol ipsec --reqid 12 --proto esp -j ACCEPT<br>
> -A FORWARD -s <a href="http://172.31.18.117/32" rel="noreferrer" target="_blank">172.31.18.117/32</a> <<a href="http://172.31.18.117/32" rel="noreferrer" target="_blank">http://172.31.18.117/32</a>> -d <a href="http://172.16.20.24/32" rel="noreferrer" target="_blank">172.16.20.24/32</a> <<a href="http://172.16.20.24/32" rel="noreferrer" target="_blank">http://172.16.20.24/32</a>> -o eth0 -m policy --dir out --pol ipsec --reqid 12 --proto esp -j ACCEPT<br>
> <br>
> [root@ip-172-31-26-241 ec2-user]# ip xfrm pol<br>
> src <a href="http://172.31.18.117/32" rel="noreferrer" target="_blank">172.31.18.117/32</a> <<a href="http://172.31.18.117/32" rel="noreferrer" target="_blank">http://172.31.18.117/32</a>> dst <a href="http://172.16.20.24/32" rel="noreferrer" target="_blank">172.16.20.24/32</a> <<a href="http://172.16.20.24/32" rel="noreferrer" target="_blank">http://172.16.20.24/32</a>><br>
> dir out priority 367231 ptype main<br>
> mark 0xc/0xffffffff<br>
> tmpl src 172.31.26.241 dst 172.16.20.13<br>
> proto esp spi 0xcc636877 reqid 12 mode tunnel<br>
> src <a href="http://172.16.20.24/32" rel="noreferrer" target="_blank">172.16.20.24/32</a> <<a href="http://172.16.20.24/32" rel="noreferrer" target="_blank">http://172.16.20.24/32</a>> dst <a href="http://172.31.18.117/32" rel="noreferrer" target="_blank">172.31.18.117/32</a> <<a href="http://172.31.18.117/32" rel="noreferrer" target="_blank">http://172.31.18.117/32</a>><br>
> dir fwd priority 367231 ptype main<br>
> mark 0xc/0xffffffff<br>
> tmpl src 172.16.20.13 dst 172.31.26.241<br>
> proto esp reqid 12 mode tunnel<br>
> src <a href="http://172.16.20.24/32" rel="noreferrer" target="_blank">172.16.20.24/32</a> <<a href="http://172.16.20.24/32" rel="noreferrer" target="_blank">http://172.16.20.24/32</a>> dst <a href="http://172.31.18.117/32" rel="noreferrer" target="_blank">172.31.18.117/32</a> <<a href="http://172.31.18.117/32" rel="noreferrer" target="_blank">http://172.31.18.117/32</a>><br>
> dir in priority 367231 ptype main<br>
> mark 0xc/0xffffffff<br>
> tmpl src 172.16.20.13 dst 172.31.26.241<br>
> proto esp reqid 12 mode tunnel<br>
> src <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> dst <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
> socket in priority 0 ptype main<br>
> src <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> dst <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
> socket out priority 0 ptype main<br>
> src <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> dst <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
> socket in priority 0 ptype main<br>
> src <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> dst <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
> socket out priority 0 ptype main<br>
> src ::/0 dst ::/0<br>
> socket in priority 0 ptype main<br>
> src ::/0 dst ::/0<br>
> socket out priority 0 ptype main<br>
> src ::/0 dst ::/0<br>
> socket in priority 0 ptype main<br>
> src ::/0 dst ::/0<br>
> socket out priority 0 ptype main<br>
> <br>
> [root@ip-172-31-26-241 ec2-user]# ip xfrm state<br>
> src 172.31.26.241 dst 172.16.20.13<br>
> proto esp spi 0xcc636877 reqid 12 mode tunnel<br>
> replay-window 0 flag af-unspec<br>
> mark 0xc/0xffffffff<br>
> auth-trunc hmac(sha1) 0xf323a6acb5a1517bba18285fa54a3d51e237a4de 96<br>
> enc cbc(aes) 0xccb4bea13f0bf1a8fa24dac0de7dd73751005dc85a271a3f484bae125475808e<br>
> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<br>
> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000<br>
> src 172.16.20.13 dst 172.31.26.241<br>
> proto esp spi 0xc1ce842f reqid 12 mode tunnel<br>
> replay-window 32 flag af-unspec<br>
> auth-trunc hmac(sha1) 0xa6e93c716c71a248b716bcdf5c9d0bbf2266d40f 96<br>
> enc cbc(aes) 0xffbeff56638b45c0d94bd33b1dfe9ded84aad68866bf1d44e9f01dc2eecf0660<br>
> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<br>
> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000<br>
> <br>
> <br>
> <br>
> *Confidentiality and Privacy Notice: *Information transmitted by this email is proprietary to [m]pirik and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. All personal messages express views solely of the sender, are not to be attributed to [m]pirik, and may not be copied or distributed without this disclaimer. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records.<br>
> <br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><p class="MsoNormal"><span style="color:rgb(136,136,136)">Matthew Frederick<u></u><u></u></span></p><div><p class="MsoNormal"><a href="mailto:jim@mpirik.com" style="color:rgb(17,85,204)" target="_blank"><span style="font-size:7.5pt">matt@mpirik.com</span></a><span style="color:rgb(136,136,136)"><u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10pt;color:rgb(136,136,136)">W +414.220.4384</span><span style="color:rgb(136,136,136)"><u></u><u></u></span></p></div><div><p class="MsoNormal"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mpirik.com&d=DwMFaQ&c=4mrNADMi6Tvf-kGUfW12lHtG2IOrmU6d6xRlApqgiGQ&r=IEBIr_2fBfdV1mXHBWue9rgiGBHw42iWfqNJ_h2ORgo&m=_-6x0Jigz5qgu8IWG_nP4oBRg7jqZDHFlT-4YTDZbS0&s=8VljVoezXqInFJE2LwcJvMmw8Q_VjSyD0D56ydR_bVM&e=" style="color:rgb(17,85,204)" target="_blank"><span><img border="0" width="96" height="24" src="https://drive.google.com/uc?export=view&id=0B1zlO2x-IYxRYUY4V29seHRoRDA" alt="https://drive.google.com/uc?export=view&id=0B1zlO2x-IYxRYUY4V29seHRoRDA" style="width: 1in; height: 0.25in;"></span></a></p></div></div></div></div>
<br>
<p><font size="1"><b><span>Confidentiality and Privacy Notice:</span> </b>Information transmitted by this email is proprietary to [m]pirik and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. All personal messages express views solely of the sender, are not to be attributed to [m]pirik, and may not be copied or distributed without this disclaimer. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records.</font></p>