[strongSwan] stongswan tunnel up but child subnets not pinging
christopher kamutumwa
chriskamutumwa at gmail.com
Tue Feb 16 10:52:29 CET 2016
hello i managed to install strongswan and managed to establish a connection
to remote partner but child subnets are not pinging each other what could
be the problem? attached is ipsec.conf, statusall , iptables, routing table
and tail var/log/messages.
kindly advise why am not able to ping other side
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160216/a2794127/attachment-0001.html>
-------------- next part --------------
[root at li788-94 ~]# tail 100 /var/log/messages
tail: cannot open `100' for reading: No such file or directory
==> /var/log/messages <==
Feb 16 09:49:28 li788-94 charon: 03[NET] received packet: from 41.223.117.190[4500] to 185.3.95.94[4500] (164 bytes)
Feb 16 09:49:28 li788-94 charon: 03[ENC] parsed QUICK_MODE request 959964764 [ HASH SA No ID ID ]
Feb 16 09:49:28 li788-94 charon: 03[IKE] received 28800s lifetime, configured 200s
Feb 16 09:49:28 li788-94 charon: 03[IKE] received 1843200000 lifebytes, configured 0
Feb 16 09:49:28 li788-94 charon: 03[ENC] generating QUICK_MODE response 959964764 [ HASH SA No ID ID ]
Feb 16 09:49:28 li788-94 charon: 03[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (180 bytes)
Feb 16 09:49:28 li788-94 charon: 02[NET] received packet: from 41.223.117.190[4500] to 185.3.95.94[4500] (52 bytes)
Feb 16 09:49:28 li788-94 charon: 02[ENC] parsed QUICK_MODE request 959964764 [ HASH ]
Feb 16 09:49:28 li788-94 charon: 02[IKE] CHILD_SA MTN{1} established with SPIs cead478f_i 1c001196_o and TS 192.168.200.177/32 === 172.25.48.43/32
Feb 16 09:49:28 li788-94 vpn: + 41.223.117.190 172.25.48.43/32 == 41.223.117.190 -- 185.3.95.94 == 192.168.200.177/32
[root at li788-94 ~]# tail -100 /var/log/messages
Feb 16 09:41:45 li788-94 charon: 06[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
Feb 16 09:41:58 li788-94 charon: 03[IKE] sending retransmit 3 of request message ID 2052936998, seq 4
Feb 16 09:41:58 li788-94 charon: 03[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
Feb 16 09:42:21 li788-94 charon: 12[IKE] sending retransmit 4 of request message ID 2052936998, seq 4
Feb 16 09:42:21 li788-94 charon: 12[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
Feb 16 09:43:03 li788-94 charon: 16[IKE] sending retransmit 5 of request message ID 2052936998, seq 4
Feb 16 09:43:03 li788-94 charon: 16[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
Feb 16 09:44:19 li788-94 charon: 01[IKE] giving up after 5 retransmits
Feb 16 09:44:19 li788-94 charon: 01[IKE] initiating Main Mode IKE_SA MTN[10] to 41.223.117.190
Feb 16 09:44:19 li788-94 charon: 01[ENC] generating ID_PROT request 0 [ SA V V V V ]
Feb 16 09:44:19 li788-94 charon: 01[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (212 bytes)
Feb 16 09:44:19 li788-94 charon: 12[NET] received packet: from 41.223.117.190[4500] to 185.3.95.94[4500] (100 bytes)
Feb 16 09:44:19 li788-94 charon: 12[ENC] parsed ID_PROT response 0 [ SA V ]
Feb 16 09:44:19 li788-94 charon: 12[ENC] received unknown vendor ID: 48:55:41:57:45:49:2d:49:4b:45:76:31:44:53:43:50
Feb 16 09:44:19 li788-94 charon: 12[ENC] generating ID_PROT request 0 [ KE No ]
Feb 16 09:44:19 li788-94 charon: 12[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (196 bytes)
Feb 16 09:44:19 li788-94 charon: 14[NET] received packet: from 41.223.117.190[4500] to 185.3.95.94[4500] (196 bytes)
Feb 16 09:44:19 li788-94 charon: 14[ENC] parsed ID_PROT response 0 [ KE No ]
Feb 16 09:44:19 li788-94 charon: 14[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Feb 16 09:44:19 li788-94 charon: 14[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (100 bytes)
Feb 16 09:44:19 li788-94 charon: 13[NET] received packet: from 41.223.117.190[4500] to 185.3.95.94[4500] (68 bytes)
Feb 16 09:44:19 li788-94 charon: 13[ENC] parsed ID_PROT response 0 [ ID HASH ]
Feb 16 09:44:19 li788-94 charon: 13[IKE] IKE_SA MTN[10] established between 185.3.95.94[185.3.95.94]...41.223.117.190[41.223.117.190]
Feb 16 09:44:19 li788-94 charon: 13[IKE] scheduling reauthentication in 28231s
Feb 16 09:44:19 li788-94 charon: 13[IKE] maximum IKE_SA lifetime 28531s
Feb 16 09:44:19 li788-94 charon: 13[ENC] generating TRANSACTION request 1218436888 [ HASH CPRQ(ADDR DNS) ]
Feb 16 09:44:19 li788-94 charon: 13[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
Feb 16 09:44:23 li788-94 charon: 04[IKE] sending retransmit 1 of request message ID 1218436888, seq 4
Feb 16 09:44:23 li788-94 charon: 04[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
Feb 16 09:44:31 li788-94 charon: 02[IKE] sending retransmit 2 of request message ID 1218436888, seq 4
Feb 16 09:44:31 li788-94 charon: 02[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
Feb 16 09:44:44 li788-94 charon: 14[IKE] sending retransmit 3 of request message ID 1218436888, seq 4
Feb 16 09:44:44 li788-94 charon: 14[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
Feb 16 09:45:07 li788-94 charon: 15[IKE] sending retransmit 4 of request message ID 1218436888, seq 4
Feb 16 09:45:07 li788-94 charon: 15[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
Feb 16 09:45:49 li788-94 charon: 03[IKE] sending retransmit 5 of request message ID 1218436888, seq 4
Feb 16 09:45:49 li788-94 charon: 03[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
Feb 16 09:47:05 li788-94 charon: 06[IKE] giving up after 5 retransmits
Feb 16 09:47:05 li788-94 charon: 06[IKE] initiating Main Mode IKE_SA MTN[11] to 41.223.117.190
Feb 16 09:47:05 li788-94 charon: 06[ENC] generating ID_PROT request 0 [ SA V V V V ]
Feb 16 09:47:05 li788-94 charon: 06[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (212 bytes)
Feb 16 09:47:05 li788-94 charon: 05[NET] received packet: from 41.223.117.190[4500] to 185.3.95.94[4500] (100 bytes)
Feb 16 09:47:05 li788-94 charon: 05[ENC] parsed ID_PROT response 0 [ SA V ]
Feb 16 09:47:05 li788-94 charon: 05[ENC] received unknown vendor ID: 48:55:41:57:45:49:2d:49:4b:45:76:31:44:53:43:50
Feb 16 09:47:05 li788-94 charon: 05[ENC] generating ID_PROT request 0 [ KE No ]
Feb 16 09:47:05 li788-94 charon: 05[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (196 bytes)
Feb 16 09:47:05 li788-94 charon: 04[NET] received packet: from 41.223.117.190[4500] to 185.3.95.94[4500] (196 bytes)
Feb 16 09:47:05 li788-94 charon: 04[ENC] parsed ID_PROT response 0 [ KE No ]
Feb 16 09:47:05 li788-94 charon: 04[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Feb 16 09:47:05 li788-94 charon: 04[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (100 bytes)
Feb 16 09:47:05 li788-94 charon: 03[NET] received packet: from 41.223.117.190[4500] to 185.3.95.94[4500] (68 bytes)
Feb 16 09:47:05 li788-94 charon: 03[ENC] parsed ID_PROT response 0 [ ID HASH ]
Feb 16 09:47:05 li788-94 charon: 03[IKE] IKE_SA MTN[11] established between 185.3.95.94[185.3.95.94]...41.223.117.190[41.223.117.190]
Feb 16 09:47:05 li788-94 charon: 03[IKE] scheduling reauthentication in 28221s
Feb 16 09:47:05 li788-94 charon: 03[IKE] maximum IKE_SA lifetime 28521s
Feb 16 09:47:05 li788-94 charon: 03[ENC] generating TRANSACTION request 689769898 [ HASH CPRQ(ADDR DNS) ]
Feb 16 09:47:05 li788-94 charon: 03[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
Feb 16 09:47:09 li788-94 charon: 15[IKE] sending retransmit 1 of request message ID 689769898, seq 4
Feb 16 09:47:09 li788-94 charon: 15[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
Feb 16 09:47:16 li788-94 charon: 16[IKE] sending retransmit 2 of request message ID 689769898, seq 4
Feb 16 09:47:16 li788-94 charon: 16[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
Feb 16 09:47:29 li788-94 charon: 04[IKE] sending retransmit 3 of request message ID 689769898, seq 4
Feb 16 09:47:29 li788-94 charon: 04[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
Feb 16 09:47:53 li788-94 charon: 01[IKE] sending retransmit 4 of request message ID 689769898, seq 4
Feb 16 09:47:53 li788-94 charon: 01[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
Feb 16 09:48:35 li788-94 charon: 11[IKE] sending retransmit 5 of request message ID 689769898, seq 4
Feb 16 09:48:35 li788-94 charon: 11[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
Feb 16 09:49:28 li788-94 charon: 03[NET] received packet: from 41.223.117.190[4500] to 185.3.95.94[4500] (164 bytes)
Feb 16 09:49:28 li788-94 charon: 03[ENC] parsed QUICK_MODE request 959964764 [ HASH SA No ID ID ]
Feb 16 09:49:28 li788-94 charon: 03[IKE] received 28800s lifetime, configured 200s
Feb 16 09:49:28 li788-94 charon: 03[IKE] received 1843200000 lifebytes, configured 0
Feb 16 09:49:28 li788-94 charon: 03[ENC] generating QUICK_MODE response 959964764 [ HASH SA No ID ID ]
Feb 16 09:49:28 li788-94 charon: 03[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (180 bytes)
Feb 16 09:49:28 li788-94 charon: 02[NET] received packet: from 41.223.117.190[4500] to 185.3.95.94[4500] (52 bytes)
Feb 16 09:49:28 li788-94 charon: 02[ENC] parsed QUICK_MODE request 959964764 [ HASH ]
Feb 16 09:49:28 li788-94 charon: 02[IKE] CHILD_SA MTN{1} established with SPIs cead478f_i 1c001196_o and TS 192.168.200.177/32 === 172.25.48.43/32
Feb 16 09:49:28 li788-94 vpn: + 41.223.117.190 172.25.48.43/32 == 41.223.117.190 -- 185.3.95.94 == 192.168.200.177/32
Feb 16 09:49:50 li788-94 charon: 13[IKE] giving up after 5 retransmits
Feb 16 09:49:50 li788-94 charon: 13[IKE] initiating Main Mode IKE_SA MTN[12] to 41.223.117.190
Feb 16 09:49:50 li788-94 charon: 13[ENC] generating ID_PROT request 0 [ SA V V V V ]
Feb 16 09:49:50 li788-94 charon: 13[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (212 bytes)
Feb 16 09:49:50 li788-94 vpn: - 41.223.117.190 172.25.48.43/32 == 41.223.117.190 -- 185.3.95.94 == 192.168.200.177/32
Feb 16 09:49:50 li788-94 charon: 11[NET] received packet: from 41.223.117.190[4500] to 185.3.95.94[4500] (100 bytes)
Feb 16 09:49:50 li788-94 charon: 11[ENC] parsed ID_PROT response 0 [ SA V ]
Feb 16 09:49:50 li788-94 charon: 11[ENC] received unknown vendor ID: 48:55:41:57:45:49:2d:49:4b:45:76:31:44:53:43:50
Feb 16 09:49:50 li788-94 charon: 11[ENC] generating ID_PROT request 0 [ KE No ]
Feb 16 09:49:50 li788-94 charon: 11[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (196 bytes)
Feb 16 09:49:51 li788-94 charon: 16[NET] received packet: from 41.223.117.190[4500] to 185.3.95.94[4500] (196 bytes)
Feb 16 09:49:51 li788-94 charon: 16[ENC] parsed ID_PROT response 0 [ KE No ]
Feb 16 09:49:51 li788-94 charon: 16[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Feb 16 09:49:51 li788-94 charon: 16[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (100 bytes)
Feb 16 09:49:51 li788-94 charon: 06[NET] received packet: from 41.223.117.190[4500] to 185.3.95.94[4500] (68 bytes)
Feb 16 09:49:51 li788-94 charon: 06[ENC] parsed ID_PROT response 0 [ ID HASH ]
Feb 16 09:49:51 li788-94 charon: 06[IKE] IKE_SA MTN[12] established between 185.3.95.94[185.3.95.94]...41.223.117.190[41.223.117.190]
Feb 16 09:49:51 li788-94 charon: 06[IKE] scheduling reauthentication in 28222s
Feb 16 09:49:51 li788-94 charon: 06[IKE] maximum IKE_SA lifetime 28522s
Feb 16 09:49:51 li788-94 charon: 06[ENC] generating TRANSACTION request 4068290156 [ HASH CPRQ(ADDR DNS) ]
Feb 16 09:49:51 li788-94 charon: 06[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
Feb 16 09:49:55 li788-94 charon: 12[IKE] sending retransmit 1 of request message ID 4068290156, seq 4
Feb 16 09:49:55 li788-94 charon: 12[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
[root at li788-94 ~]#
-------------- next part --------------
[root at li788-94 ~]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.3.2, Linux 4.4.0-x86_64-linode63, x86_64):
uptime: 27 minutes, since Feb 16 09:19:28 2016
malloc: sbrk 503808, mmap 0, used 404864, free 98944
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 21
loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnsksshkey pem openssl fips-prf gmp xcbc cmac hmac ctr ccm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-ident eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp
Listening IP addresses:
185.3.95.94
192.168.200.177
2a01:7e00::f03c:91ff:fe37:9296
Connections:
MTN: 185.3.95.94...41.223.117.190 IKEv1
MTN: local: [185.3.95.94] uses pre-shared key authentication
MTN: remote: [41.223.117.190] uses pre-shared key authentication
MTN: child: 192.168.128.0/17 === 172.25.48.36/32 172.25.48.43/32 TUNNEL
Security Associations (1 up, 0 connecting):
MTN[10]: ESTABLISHED 2 minutes ago, 185.3.95.94[185.3.95.94]...41.223.117.190[41.223.117.190]
MTN[10]: IKEv1 SPIs: 28e33873f54aaaff_i* 6d3ab411e92b6c05_r, pre-shared key reauthentication in 7 hours
MTN[10]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
MTN[10]: Tasks queued: QUICK_MODE
MTN[10]: Tasks active: MODE_CONFIG
[root at li788-94 ~]#
-------------- next part --------------
[root at li788-94 strongswan]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 185.3.95.1 0.0.0.0 UG 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth0
172.25.48.36 41.223.117.190 255.255.255.255 UGH 0 0 0 eth0
172.25.48.43 41.223.117.190 255.255.255.255 UGH 0 0 0 eth0
185.3.95.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.128.0 0.0.0.0 255.255.128.0 U 0 0 0 eth0
[root at li788-94 strongswan]# ip route show
default via 185.3.95.1 dev eth0
169.254.0.0/16 dev eth0 scope link metric 1003
172.25.48.36 via 41.223.117.190 dev eth0 proto static src 192.168.200.177
172.25.48.43 via 41.223.117.190 dev eth0 proto static src 192.168.200.177
185.3.95.0/24 dev eth0 proto kernel scope link src 185.3.95.94
192.168.128.0/17 dev eth0 proto kernel scope link src 192.168.200.177
-------------- next part --------------
[root at li788-94 strongswan]# iptables -nvL
Chain INPUT (policy ACCEPT 2028 packets, 230K bytes)
pkts bytes target prot opt in out source destination
3214 267K ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0
49 6664 ACCEPT esp -- eth0 * 0.0.0.0/0 0.0.0.0/0
10 472 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
39885 4440K ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
3726 411K ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:500
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * eth0 192.168.128.0/17 172.25.48.36 policy match dir out pol ipsec
0 0 ACCEPT all -- eth0 * 172.25.48.43 192.168.200.172 policy match dir in pol ipsec
0 0 ACCEPT all -- * eth0 192.168.200.172 172.25.48.43 policy match dir out pol ipsec
0 0 ACCEPT all -- eth0 * 172.25.48.36 192.168.128.0/17 policy match dir in pol ipsec
Chain OUTPUT (policy ACCEPT 545 packets, 41160 bytes)
pkts bytes target prot opt in out source destination
3814 347K ACCEPT icmp -- * eth0 0.0.0.0/0 0.0.0.0/0
764 45141 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
9 524 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
39 5304 ACCEPT esp -- * eth0 0.0.0.0/0 0.0.0.0/0
47522 7109K ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:4500
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:500
-------------- next part --------------
conn %default
ikelifetime=28800s
keylife=200s
rekeymargin=300
keyingtries=1
keyexchange=ikev1
ike=aes128-sha1-modp1024-diffie-hellman group 2
esp=3des-sha1
ike=3des-sha1-modp1024
mobike=yes
leftikeport=4500
rightikeport=4500
authby=secret
conn MTN
type=tunnel
left=185.3.95.94
# left=%defaultroute
# leftcert=client.cert
# authby=secret
leftsubnet=192.168.200.172/17
leftsourceip=%config
leftfirewall=yes
right=41.223.117.190
#rightid=41.223.117.190
rightsubnet=172.25.48.36/32,172.25.48.43/32
# rightsubnet=172.25.48.36/16
# rightsubnet=172.25.48.36
auto=start
-------------- next part --------------
iptables -I INPUT -i eth0 -p udp --dport 500 -j ACCEPT
iptables -I INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
iptables -I INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -i eth0 -p esp -j ACCEPT
iptables -I INPUT -i eth0 -p icmp -j ACCEPT
iptables -I OUTPUT -o eth0 -p udp --dport 500 -j ACCEPT
iptables -I OUTPUT -o eth0 -p udp --dport 4500 -j ACCEPT
iptables -I OUTPUT -o eth0 -p all -j ACCEPT
iptables -I OUTPUT -o eth0 -p esp -j ACCEPT
iptables -I OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT
iptables -I OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
iptables -I OUTPUT -o eth0 -p icmp -j ACCEPT
iptables -I FORWARD -i eth0 -s 172.25.48.36/32 -d 192.168.200.172/17 -m policy --dir in --pol ipsec -j ACCEPT
iptables -I FORWARD -o eth0 -s 192.168.200.172 -d 172.25.48.43/32 -m policy --dir out --pol ipsec -j ACCEPT
iptables -I FORWARD -i eth0 -s 172.25.48.43/32 -d 192.168.200.172 -m policy --dir in --pol ipsec -j ACCEPT
iptables -I FORWARD -o eth0 -s 192.168.200.172/17 -d 172.25.48.36/32 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -I POSTROUTING -s 10.1.0.0/16 -o vlan2 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -t nat -I PREROUTING -s 10.2.0.0/16 -i vlan2 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
10.2.0.0/16 via 192.168.0.2 dev eth0 proto static src 10.1.0.1
/etc/init.d/iptables save
ip route add 172.25.48.43 via 41.223.117.190 dev eth0 proto static src 192.168.200.177
ip route add 172.25.48.36 via 41.223.117.190 dev eth0 proto static src 192.168.200.177
172.25.48.36 via 41.223.117.190 dev eth0 proto static src 192.168.200.177
ip route add 41.223.117.190 dev eth0
ip route add 41.223.117.190 via 185.3.95.1 dev eth0:1
ip route add 41.223.117.190/32 via 185.3.95.1 dev eth0
any net 41.223.117.190 netmask 255.255.255.255 gw 185.3.95.1
any net 172.25.48.43 netmask 255.255.255.255 gw 41.223.117.190
any net 172.25.48.36 netmask 255.255.255.255 gw 41.223.117.190
tup: Starting Openswan IPsec U2.6.32/K4.4.0-x86_64-linode63...
Feb 14 16:04:24 li788-94 ipsec_setup: Using NETKEY(XFRM) stack
Chain INPUT (policy accept 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 152 ACCEPT esp -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- eth0 * 0.0.0.0/0 0.0.0.0/0
4 900 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:4500 dpt:4500
96 20216 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy accept 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 84 ACCEPT all -- eth0 * 172.25.48.36/32 192.168.200.172/17 policy match dir in pol ipsec reqid 1 proto 50
1 84 ACCEPT all -- * eth0 192.168.200.172/17 172.25.48.36/32 policy match dir out pol ipsec reqid 1 proto 50
Chain OUTPUT (policy accept 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 152 ACCEPT esp -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * eth0 0.0.0.0/0 0.0.0.0/0
5 1140 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp spt:4500 dpt:4500
116 27632 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 192.168.0.150 tcp dpt:80
More information about the Users
mailing list