[strongSwan] Help with IKEv1 Site-to-site PSK IPv4
Charles-Antoine Giuliani
thethyfate at gmail.com
Tue Oct 24 19:50:29 CEST 2017
Hi,
First, I want to thank you Noel for your help and patience. I know some of
my questions are probably dumb but though not an excuse, the sheer amount
of information to process is huge and intimidating (especially when
discovering graphics like this
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg)
and I just cannot figure / get a high level view of how ip routes, tables,
packets, etc. work together, all the more with the interactions between
drivers in the network stack. I also want to apologize for providing dumps
which were in contradiction with the setup I was describing -> this was the
result of trying everything I could think of without fully understanding
what I was doing.
However, after reading all the articles and information you provided, it
looks like I managed to successfully connect to the other site but I cannot
access any computer of this other site. I suspect it has to do with packet
routing but I cannot find a way to correct my setup. When I ping or telnet
a machine (on port 3389 where I should be able to connect via RDP), the
command hangs.
For the record, I am setting up a Site to Site VPN with IKEv1 and PSK. I am
using a computer running Ubuntu 16.04 with IP 192.168.1.44 on a local
network behind an ISP-provided router. The router has a DHCP range of
address 1 to 100 and NAT forwarding has been configured for ports 500 and
4500 on this router towards my computer. Beyond the router is internet.
You will find below the configuration files and the result of running a
bash from a fresh boot.
Thanks in advance for all the help anybody can provide,
Kind regards,
Charles
ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# auto=start
conn ciscoios
keyexchange=ikev1
keyingtries=%forever
leftauth=psk
rightauth=psk
leftsubnet=192.168.1.0/24
leftid=93.XXX.XXX.XXX
auto=route
rightsubnet=172.21.148.0/28 #network behind IOS
right=83.XXX.XXX.XXX #IKEID sent by IOS
ike=aes256-sha-modp1024 #P1: modp1024 = DH group 2
esp=aes256-sha1-modp1024 #P2
ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
# 93.XXX.XXX.XXX 83.XXX.XXX.XXX YYYYYYYY
83.XXX.XXX.XXX : PSK "YYYYYYYY"
ipsec.sql
-not found-
auth.log
Oct 23 10:03:40 Nachalsys charon: 12[IKE] initiating Main Mode IKE_SA
ciscoios[1] to 83.XXX.XXX.XXX
Oct 23 10:03:40 Nachalsys charon: 05[IKE] IKE_SA ciscoios[1] established
between 192.168.1.44[93.XXX.XXX.XXX]...83.XXX.XXX.XXX[83.XXX.XXX.XXX]
Oct 23 10:03:41 Nachalsys charon: 14[IKE] CHILD_SA ciscoios{1} established
with SPIs c86d1e57_i 064d5231_o and TS 192.168.1.0/24 === 172.21.148.0/28
daemon.log
-not found-
root at Nachalsys ~ # sysctl net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
root at Nachalsys ~ # sysctl net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.forwarding = 1
root at Nachalsys ~ # iptables -t nat -I POSTROUTING -m policy --pol ipsec
--dir out -j ACCEPT
root at Nachalsys ~ # ipsec up ciscoios
initiating Main Mode IKE_SA ciscoios[1] to 83.XXX.XXX.XXX
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 192.168.1.44[500] to 83.XXX.XXX.XXX[500] (216 bytes)
received packet: from 83.XXX.XXX.XXX[500] to 192.168.1.44[500] (128 bytes)
parsed ID_PROT response 0 [ SA V V ]
received NAT-T (RFC 3947) vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.1.44[500] to 83.XXX.XXX.XXX[500] (244 bytes)
received packet: from 83.XXX.XXX.XXX[500] to 192.168.1.44[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: f6:93:91:2c:ea:0a:16:46:54:24:cd:24:86:5c:90:e8
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 192.168.1.44[4500] to 83.XXX.XXX.XXX[4500] (108 bytes)
received packet: from 83.XXX.XXX.XXX[4500] to 192.168.1.44[4500] (92 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA ciscoios[1] established between
192.168.1.44[93.XXX.XXX.XXX]...83.XXX.XXX.XXX[83.XXX.XXX.XXX]
scheduling reauthentication in 10082s
maximum IKE_SA lifetime 10622s
generating QUICK_MODE request 1172503876 [ HASH SA No KE ID ID ]
sending packet: from 192.168.1.44[4500] to 83.XXX.XXX.XXX[4500] (316 bytes)
received packet: from 83.XXX.XXX.XXX[4500] to 192.168.1.44[4500] (300 bytes)
parsed QUICK_MODE response 1172503876 [ HASH SA No KE ID ID ]
CHILD_SA ciscoios{1} established with SPIs c86d1e57_i 064d5231_o and TS
192.168.1.0/24 === 172.21.148.0/28
connection 'ciscoios' established successfully
root at Nachalsys ~ # ping 172.21.148.1
PING 172.21.148.1 (172.21.148.1) 56(84) bytes of data.
^C
--- 172.21.148.1 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 9217ms
1 root at Nachalsys ~ # telnet 172.21.148.1 3389
:(
Trying 172.21.148.1...
^X^C
130 root at Nachalsys ~ #
:(
130 root at Nachalsys ~ # ipsec statusall
:(
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.10.0-37-generic,
x86_64):
uptime: 3 minutes, since Oct 23 10:01:49 2017
malloc: sbrk 2568192, mmap 0, used 361488, free 2206704
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 3
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
kernel-netlink resolve socket-default connmark stroke updown
Listening IP addresses:
192.168.1.44
Connections:
ciscoios: %any...83.XXX.XXX.XXX IKEv1
ciscoios: local: [93.XXX.XXX.XXX] uses pre-shared key authentication
ciscoios: remote: [83.XXX.XXX.XXX] uses pre-shared key authentication
ciscoios: child: 192.168.1.0/24 === 172.21.148.0/28 TUNNEL
Security Associations (1 up, 0 connecting):
ciscoios[1]: ESTABLISHED 78 seconds ago,
192.168.1.44[93.XXX.XXX.XXX]...83.XXX.XXX.XXX[83.XXX.XXX.XXX]
ciscoios[1]: IKEv1 SPIs: 5701ca65606e4e4d_i* 46160bea31365403_r,
pre-shared key reauthentication in 2 hours
ciscoios[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
ciscoios{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c86d1e57_i
064d5231_o
ciscoios{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 1140 bytes_o (15
pkts, 22s ago), rekeying in 47 minutes
ciscoios{1}: 192.168.1.0/24 === 172.21.148.0/28
root at Nachalsys ~ # ipsec listall
List of registered IKE algorithms:
encryption: AES_CBC[aes] RC2_CBC[rc2] 3DES_CBC[openssl]
CAMELLIA_CBC[openssl] CAST_CBC[openssl] BLOWFISH_CBC[openssl]
DES_CBC[openssl] DES_ECB[openssl] NULL[openssl]
integrity: HMAC_MD5_96[openssl] HMAC_MD5_128[openssl]
HMAC_SHA1_96[openssl] HMAC_SHA1_128[openssl]
HMAC_SHA1_160[openssl] HMAC_SHA2_256_128[openssl]
HMAC_SHA2_256_256[openssl] HMAC_SHA2_384_192[openssl]
HMAC_SHA2_384_384[openssl] HMAC_SHA2_512_256[openssl]
HMAC_SHA2_512_512[openssl] CAMELLIA_XCBC_96[xcbc]
AES_XCBC_96[xcbc]
aead: AES_GCM_8[openssl] AES_GCM_12[openssl] AES_GCM_16[openssl]
hasher: HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2]
HASH_SHA384[sha2] HASH_SHA512[sha2] HASH_MD4[md4]
HASH_MD5[md5]
prf: PRF_KEYED_SHA1[sha1] PRF_HMAC_MD5[openssl]
PRF_HMAC_SHA1[openssl] PRF_HMAC_SHA2_256[openssl]
PRF_HMAC_SHA2_384[openssl] PRF_HMAC_SHA2_512[openssl]
PRF_FIPS_SHA1_160[fips-prf] PRF_AES128_XCBC[xcbc]
PRF_CAMELLIA128_XCBC[xcbc]
dh-group: MODP_2048[openssl] MODP_2048_224[openssl]
MODP_2048_256[openssl] MODP_1536[openssl] MODP_3072[openssl]
MODP_4096[openssl] MODP_6144[openssl] MODP_8192[openssl]
MODP_1024[openssl] MODP_1024_160[openssl]
MODP_768[openssl] MODP_CUSTOM[openssl] ECP_256[openssl]
ECP_384[openssl] ECP_521[openssl] ECP_224[openssl]
ECP_192[openssl] ECP_224_BP[openssl] ECP_256_BP[openssl]
ECP_384_BP[openssl] ECP_512_BP[openssl]
random-gen: RNG_WEAK[openssl] RNG_STRONG[random] RNG_TRUE[random]
nonce-gen: [nonce]
List of loaded Plugins:
charon:
CUSTOM:libcharon
NONCE_GEN
CUSTOM:libcharon-sa-managers
CUSTOM:libcharon-receiver
CUSTOM:kernel-ipsec
CUSTOM:kernel-net
CUSTOM:libcharon-receiver
HASHER:HASH_SHA1
RNG:RNG_STRONG
CUSTOM:socket
CUSTOM:libcharon-sa-managers
HASHER:HASH_SHA1
RNG:RNG_WEAK
test-vectors:
CUSTOM:test-vectors
aes:
CRYPTER:AES_CBC-16
CRYPTER:AES_CBC-24
CRYPTER:AES_CBC-32
rc2:
CRYPTER:RC2_CBC-0
sha1:
HASHER:HASH_SHA1
PRF:PRF_KEYED_SHA1
sha2:
HASHER:HASH_SHA224
HASHER:HASH_SHA256
HASHER:HASH_SHA384
HASHER:HASH_SHA512
md4:
HASHER:HASH_MD4
md5:
HASHER:HASH_MD5
random:
RNG:RNG_STRONG
RNG:RNG_TRUE
nonce:
NONCE_GEN
RNG:RNG_WEAK
x509:
CERT_ENCODE:X509
HASHER:HASH_SHA1
CERT_DECODE:X509
HASHER:HASH_SHA1
PUBKEY:ANY
CERT_ENCODE:X509_AC
CERT_DECODE:X509_AC
CERT_ENCODE:X509_CRL
CERT_DECODE:X509_CRL
CERT_ENCODE:X509_OCSP_REQUEST
HASHER:HASH_SHA1
RNG:RNG_WEAK
CERT_DECODE:X509_OCSP_RESPONSE
CERT_ENCODE:PKCS10_REQUEST
CERT_DECODE:PKCS10_REQUEST
revocation:
CUSTOM:revocation
CERT_ENCODE:X509_OCSP_REQUEST (soft)
CERT_DECODE:X509_OCSP_RESPONSE (soft)
CERT_DECODE:X509_CRL (soft)
CERT_DECODE:X509 (soft)
FETCHER:(null) (soft)
constraints:
CUSTOM:constraints
CERT_DECODE:X509 (soft)
pubkey:
CERT_ENCODE:TRUSTED_PUBKEY
CERT_DECODE:TRUSTED_PUBKEY
PUBKEY:RSA (soft)
PUBKEY:ECDSA (soft)
PUBKEY:DSA (soft)
pkcs1:
PRIVKEY:RSA
PUBKEY:ANY
PUBKEY:RSA (soft)
PUBKEY:ECDSA (soft)
PUBKEY:DSA (soft)
PUBKEY:RSA
pkcs7:
CONTAINER_DECODE:PKCS7
CONTAINER_ENCODE:PKCS7_DATA
CONTAINER_ENCODE:PKCS7_SIGNED_DATA
CONTAINER_ENCODE:PKCS7_ENVELOPED_DATA
pkcs8:
PRIVKEY:ANY
PRIVKEY:RSA
PRIVKEY:ECDSA
pkcs12:
CONTAINER_DECODE:PKCS12
CONTAINER_DECODE:PKCS7
CERT_DECODE:X509 (soft)
PRIVKEY:ANY (soft)
HASHER:HASH_SHA1 (soft)
CRYPTER:3DES_CBC-24 (soft)
CRYPTER:RC2_CBC-0 (soft)
pgp:
PRIVKEY:ANY
PRIVKEY:RSA
PUBKEY:ANY
PUBKEY:RSA
CERT_DECODE:PGP
dnskey:
PUBKEY:ANY
PUBKEY:RSA
sshkey:
PUBKEY:ANY
CERT_DECODE:TRUSTED_PUBKEY
pem:
PRIVKEY:ANY
PRIVKEY:ANY
HASHER:HASH_MD5 (soft)
PRIVKEY:RSA
PRIVKEY:RSA
HASHER:HASH_MD5 (soft)
PRIVKEY:ECDSA
PRIVKEY:ECDSA
HASHER:HASH_MD5 (soft)
PRIVKEY:DSA (not loaded)
PRIVKEY:DSA
HASHER:HASH_MD5 (soft)
PRIVKEY:BLISS (not loaded)
PRIVKEY:BLISS
PUBKEY:ANY
PUBKEY:ANY
PUBKEY:RSA
PUBKEY:RSA
PUBKEY:ECDSA
PUBKEY:ECDSA
PUBKEY:DSA (not loaded)
PUBKEY:DSA
PUBKEY:BLISS
CERT_DECODE:ANY
CERT_DECODE:X509 (soft)
CERT_DECODE:PGP (soft)
CERT_DECODE:X509
CERT_DECODE:X509
CERT_DECODE:X509_CRL
CERT_DECODE:X509_CRL
CERT_DECODE:X509_OCSP_REQUEST (not loaded)
CERT_DECODE:X509_OCSP_REQUEST
CERT_DECODE:X509_OCSP_RESPONSE
CERT_DECODE:X509_OCSP_RESPONSE
CERT_DECODE:X509_AC
CERT_DECODE:X509_AC
CERT_DECODE:PKCS10_REQUEST
CERT_DECODE:PKCS10_REQUEST
CERT_DECODE:TRUSTED_PUBKEY
CERT_DECODE:TRUSTED_PUBKEY
CERT_DECODE:PGP
CERT_DECODE:PGP
CONTAINER_DECODE:PKCS12
CONTAINER_DECODE:PKCS12
openssl:
CUSTOM:openssl-threading
CRYPTER:AES_CBC-16
CRYPTER:AES_CBC-24
CRYPTER:AES_CBC-32
CRYPTER:CAMELLIA_CBC-16
CRYPTER:CAMELLIA_CBC-24
CRYPTER:CAMELLIA_CBC-32
CRYPTER:CAST_CBC-0
CRYPTER:BLOWFISH_CBC-0
CRYPTER:3DES_CBC-24
CRYPTER:DES_CBC-8
CRYPTER:DES_ECB-8
CRYPTER:NULL-0
HASHER:HASH_MD4
HASHER:HASH_MD5
HASHER:HASH_SHA1
HASHER:HASH_SHA224
HASHER:HASH_SHA256
HASHER:HASH_SHA384
HASHER:HASH_SHA512
PRF:PRF_KEYED_SHA1
PRF:PRF_HMAC_MD5
PRF:PRF_HMAC_SHA1
PRF:PRF_HMAC_SHA2_256
PRF:PRF_HMAC_SHA2_384
PRF:PRF_HMAC_SHA2_512
SIGNER:HMAC_MD5_96
SIGNER:HMAC_MD5_128
SIGNER:HMAC_SHA1_96
SIGNER:HMAC_SHA1_128
SIGNER:HMAC_SHA1_160
SIGNER:HMAC_SHA2_256_128
SIGNER:HMAC_SHA2_256_256
SIGNER:HMAC_SHA2_384_192
SIGNER:HMAC_SHA2_384_384
SIGNER:HMAC_SHA2_512_256
SIGNER:HMAC_SHA2_512_512
AEAD:AES_GCM_8-16
AEAD:AES_GCM_8-24
AEAD:AES_GCM_8-32
AEAD:AES_GCM_12-16
AEAD:AES_GCM_12-24
AEAD:AES_GCM_12-32
AEAD:AES_GCM_16-16
AEAD:AES_GCM_16-24
AEAD:AES_GCM_16-32
DH:MODP_2048
DH:MODP_2048_224
DH:MODP_2048_256
DH:MODP_1536
DH:MODP_3072
DH:MODP_4096
DH:MODP_6144
DH:MODP_8192
DH:MODP_1024
DH:MODP_1024_160
DH:MODP_768
DH:MODP_CUSTOM
PRIVKEY:RSA
PRIVKEY:ANY
PRIVKEY_GEN:RSA
PUBKEY:RSA
PUBKEY:ANY
PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL
PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512
PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5
PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5
PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1
PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1
CERT_DECODE:X509
PUBKEY:RSA (soft)
PUBKEY:ECDSA (soft)
PUBKEY:DSA (soft)
CERT_DECODE:X509_CRL
CONTAINER_DECODE:PKCS7
CONTAINER_DECODE:PKCS12
DH:ECP_256
DH:ECP_384
DH:ECP_521
DH:ECP_224
DH:ECP_192
DH:ECP_224_BP
DH:ECP_256_BP
DH:ECP_384_BP
DH:ECP_512_BP
PRIVKEY:ECDSA
PRIVKEY_GEN:ECDSA
PUBKEY:ECDSA
PRIVKEY_SIGN:ECDSA_WITH_NULL
PUBKEY_VERIFY:ECDSA_WITH_NULL
PRIVKEY_SIGN:ECDSA_WITH_SHA1_DER
PUBKEY_VERIFY:ECDSA_WITH_SHA1_DER
PRIVKEY_SIGN:ECDSA_WITH_SHA256_DER
PUBKEY_VERIFY:ECDSA_WITH_SHA256_DER
PRIVKEY_SIGN:ECDSA-256
PUBKEY_VERIFY:ECDSA-256
PRIVKEY_SIGN:ECDSA_WITH_SHA384_DER
PRIVKEY_SIGN:ECDSA_WITH_SHA512_DER
PUBKEY_VERIFY:ECDSA_WITH_SHA384_DER
PUBKEY_VERIFY:ECDSA_WITH_SHA512_DER
PRIVKEY_SIGN:ECDSA-384
PRIVKEY_SIGN:ECDSA-521
PUBKEY_VERIFY:ECDSA-384
PUBKEY_VERIFY:ECDSA-521
RNG:RNG_STRONG
RNG:RNG_WEAK
fips-prf:
PRF:PRF_FIPS_SHA1_160
PRF:PRF_KEYED_SHA1
gmp:
DH:MODP_2048
RNG:RNG_STRONG
DH:MODP_2048_224
RNG:RNG_STRONG
DH:MODP_2048_256
RNG:RNG_STRONG
DH:MODP_1536
RNG:RNG_STRONG
DH:MODP_3072
RNG:RNG_STRONG
DH:MODP_4096
RNG:RNG_STRONG
DH:MODP_6144
RNG:RNG_STRONG
DH:MODP_8192
RNG:RNG_STRONG
DH:MODP_1024
RNG:RNG_STRONG
DH:MODP_1024_160
RNG:RNG_STRONG
DH:MODP_768
RNG:RNG_STRONG
DH:MODP_CUSTOM
RNG:RNG_STRONG
PRIVKEY:RSA
PRIVKEY_GEN:RSA
RNG:RNG_TRUE
PUBKEY:RSA
PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1
HASHER:HASH_SHA1
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224
HASHER:HASH_SHA224
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256
HASHER:HASH_SHA256
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384
HASHER:HASH_SHA384
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512
HASHER:HASH_SHA512
PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5
HASHER:HASH_MD5
PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1
HASHER:HASH_SHA1
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224
HASHER:HASH_SHA224
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256
HASHER:HASH_SHA256
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384
HASHER:HASH_SHA384
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512
HASHER:HASH_SHA512
PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5
HASHER:HASH_MD5
PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1
PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1
RNG:RNG_WEAK
agent:
PRIVKEY:ANY
PRIVKEY:RSA
PRIVKEY:ECDSA
xcbc:
PRF:PRF_AES128_XCBC
CRYPTER:AES_CBC-16
PRF:PRF_CAMELLIA128_XCBC
CRYPTER:CAMELLIA_CBC-16
SIGNER:CAMELLIA_XCBC_96
CRYPTER:CAMELLIA_CBC-16
SIGNER:AES_XCBC_96
CRYPTER:AES_CBC-16
hmac:
PRF:PRF_HMAC_SHA1
HASHER:HASH_SHA1
PRF:PRF_HMAC_MD5
HASHER:HASH_MD5
PRF:PRF_HMAC_SHA2_256
HASHER:HASH_SHA256
PRF:PRF_HMAC_SHA2_384
HASHER:HASH_SHA384
PRF:PRF_HMAC_SHA2_512
HASHER:HASH_SHA512
SIGNER:HMAC_SHA1_96
HASHER:HASH_SHA1
SIGNER:HMAC_SHA1_128
HASHER:HASH_SHA1
SIGNER:HMAC_SHA1_160
HASHER:HASH_SHA1
SIGNER:HMAC_MD5_96
HASHER:HASH_MD5
SIGNER:HMAC_MD5_128
HASHER:HASH_MD5
SIGNER:HMAC_SHA2_256_128
HASHER:HASH_SHA256
SIGNER:HMAC_SHA2_256_256
HASHER:HASH_SHA256
SIGNER:HMAC_SHA2_384_192
HASHER:HASH_SHA384
SIGNER:HMAC_SHA2_384_384
HASHER:HASH_SHA384
SIGNER:HMAC_SHA2_512_256
HASHER:HASH_SHA512
SIGNER:HMAC_SHA2_512_512
HASHER:HASH_SHA512
gcm:
AEAD:AES_GCM_8-16
CRYPTER:AES_CBC-16
AEAD:AES_GCM_8-24
CRYPTER:AES_CBC-24
AEAD:AES_GCM_8-32
CRYPTER:AES_CBC-32
AEAD:AES_GCM_12-16
CRYPTER:AES_CBC-16
AEAD:AES_GCM_12-24
CRYPTER:AES_CBC-24
AEAD:AES_GCM_12-32
CRYPTER:AES_CBC-32
AEAD:AES_GCM_16-16
CRYPTER:AES_CBC-16
AEAD:AES_GCM_16-24
CRYPTER:AES_CBC-24
AEAD:AES_GCM_16-32
CRYPTER:AES_CBC-32
attr:
CUSTOM:attr
kernel-netlink:
CUSTOM:kernel-ipsec
CUSTOM:kernel-net
resolve:
CUSTOM:resolve
socket-default:
CUSTOM:socket
CUSTOM:kernel-ipsec (soft)
connmark:
CUSTOM:connmark
stroke:
CUSTOM:stroke
PRIVKEY:RSA (soft)
PRIVKEY:ECDSA (soft)
PRIVKEY:DSA (soft)
PRIVKEY:BLISS (soft)
CERT_DECODE:ANY (soft)
CERT_DECODE:X509 (soft)
CERT_DECODE:X509_CRL (soft)
CERT_DECODE:X509_AC (soft)
CERT_DECODE:TRUSTED_PUBKEY (soft)
updown:
CUSTOM:updown
root at Nachalsys ~ # ip -s xfrm policy
src 172.21.148.0/28 dst 192.168.1.0/24 uid 0
dir fwd action allow index 82 priority 2867 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-10-23 10:03:41 use -
tmpl src 83.XXX.XXX.XXX dst 192.168.1.44
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 172.21.148.0/28 dst 192.168.1.0/24 uid 0
dir in action allow index 72 priority 2867 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-10-23 10:03:41 use -
tmpl src 83.XXX.XXX.XXX dst 192.168.1.44
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.1.0/24 dst 172.21.148.0/28 uid 0
dir out action allow index 65 priority 2867 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-10-23 10:03:41 use 2017-10-23 10:04:36
tmpl src 192.168.1.44 dst 83.XXX.XXX.XXX
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 59 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-10-23 10:00:23 use 2017-10-23 10:03:41
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 52 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-10-23 10:00:23 use 2017-10-23 10:08:16
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 43 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-10-23 10:00:23 use 2017-10-23 10:03:40
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 36 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-10-23 10:00:23 use 2017-10-23 10:03:40
src ::/0 dst ::/0 uid 0
socket in action allow index 27 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-10-23 10:00:23 use -
src ::/0 dst ::/0 uid 0
socket out action allow index 20 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-10-23 10:00:23 use -
src ::/0 dst ::/0 uid 0
socket in action allow index 11 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-10-23 10:00:23 use -
src ::/0 dst ::/0 uid 0
socket out action allow index 4 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-10-23 10:00:23 use -
root at Nachalsys ~ # ip -s xfrm state
src 192.168.1.44 dst 83.XXX.XXX.XXX
proto esp spi 0x064d5231(105730609) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
auth-trunc hmac(sha1) 0x466bf4ff8b0b84b217af306707c4132461055fe4
(160 bits) 96
enc cbc(aes)
0xe904f2a626428de9ac9c0de6a7fd5ac3573b68cb50a3559a95e2ad6ba78456be (256
bits)
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0xf, bitmap 0x00000000
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 2950(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
1140(bytes), 15(packets)
add 2017-10-23 10:03:41 use 2017-10-23 10:04:02
stats:
replay-window 0 replay 0 failed 0
src 83.XXX.XXX.XXX dst 192.168.1.44
proto esp spi 0xc86d1e57(3362594391) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
auth-trunc hmac(sha1) 0x77b5d898a1d67ae85257f02069f4d305fa79c554
(160 bits) 96
enc cbc(aes)
0x352455d84da909a0b806792889005112c77f8f4d4b344931f989c29422cbf23b (256
bits)
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 2944(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-10-23 10:03:41 use -
stats:
replay-window 0 replay 0 failed 0
root at Nachalsys ~ # ip route list table 220
172.21.148.0/28 via 192.168.1.1 dev wlp61s0 proto static src 192.168.1.44
root at Nachalsys ~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- anywhere anywhere multiport
dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
root at Nachalsys ~ # iptables-save
# Generated by iptables-save v1.6.0 on Mon Oct 23 10:09:13 2017
*nat
:PREROUTING ACCEPT [13:490]
:INPUT ACCEPT [6:266]
:OUTPUT ACCEPT [81:5229]
:POSTROUTING ACCEPT [79:5085]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
COMMIT
# Completed on Mon Oct 23 10:09:13 2017
# Generated by iptables-save v1.6.0 on Mon Oct 23 10:09:13 2017
*filter
:INPUT ACCEPT [2064:691071]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2103:365586]
:f2b-sshd - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A f2b-sshd -j RETURN
COMMIT
# Completed on Mon Oct 23 10:09:13 2017
root at Nachalsys ~ #
On Mon, Sep 4, 2017 at 9:09 PM, Noel Kuntze <
noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
> Hi,
>
> Advise for your problem and corrections for incorrect statements are found
> in the text, below
> the corresponding quoted section from your mail.
>
> On 04.09.2017 20:20, Charles-Antoine Giuliani wrote:
> > I followed the configuration at
> > https://www.strongswan.org/testing/testresults/ikev1/net2net-psk/
> > (closest configuration I could find, though the examples seem to have
> been designed for local networks)
> Those are not examples, as the introduction page to the test results
> says[1][2]. You are not supposed to use those.
> There is a dedicated article[3] on the wiki about example configurations.
> Read the introduction[4] and the article about forwarding[5] first,
> then use the configuration for the corresponding scenario (site-to-site
> scenario). The test scenarios are tests that are run in a virtualized LAN
> environment
> using QEMU, so this obviously does not correspond to a real life
> deployment. This is also made clear in the warning[2].
>
> >
> > However the computer does not manage to connect
> >
> > thyfate at DataLearning-001:~$ sudo ipsec start
> > Starting strongSwan 5.1.2 IPsec [starter]...
> > charon is already running (/var/run/charon.pid exists) -- skipping
> daemon start
> > starter is already running (/var/run/starter.charon.pid exists) -- no
> fork done
> > thyfate at DataLearning-001:~$ sudo ipsec up ciscoios
> > initiating Main Mode IKE_SA ciscoios[3554] to 83.XXX.XXX.XXX
> > generating ID_PROT request 0 [ SA V V V V ]
> > sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196
> bytes)
> > sending retransmit 1 of request message ID 0, seq 1
> > sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196
> bytes)
> > sending retransmit 2 of request message ID 0, seq 1
> > sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196
> bytes)
> > sending retransmit 3 of request message ID 0, seq 1
> > sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196
> bytes)
> > sending retransmit 4 of request message ID 0, seq 1
> > sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196
> bytes)
> > sending retransmit 5 of request message ID 0, seq 1
> > sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196
> bytes)
> > giving up after 5 retransmits
> > establishing IKE_SA failed, peer not responding
> > establishing connection 'ciscoios' failed
>
> That obviously does not work, because you are neither supposed to, nor
> allowed to send IP packets from an IP
> address that is not bound to your host. You can work around that, but it
> is neither the or even a solution to your problem
> nor advised to try to do that. At least your home router would drop the
> packets because of the bogus source. I am very certain
> that charon logs a corresponding error message in syslog or the journal,
> whenever you try to initiate the connection
>
> The "left" parameter is described as follows in the first paragraph about
> it on the man page:
> > left = <ip address> | <fqdn> | %any | <range> | <subnet>
> > The IP address of the left participant's public-network
> interface or one of several magic values. The value %any (the default) for
> the local endpoint signifies an address
> > to be filled in (by automatic keying) during negotiation.
> If the local peer initiates the connection setup the routing table will be
> queried to determine the correct local
> > IP address. In case the local peer is responding to a
> connection setup then any IP address that is assigned to a local interface
> will be accepted.
>
> As you can read, that parameter is neither appropriate nor needed in your
> case, because 93.XXX.XXX.XXX is not bound to any local interface. Just
> don't use "left". Charon is smart
> enough to determine the correct source IP by itself, as the man page
> describes.
>
> > Below some details on the setup:
> >
> > I am using Ubuntu 14.04. My computer is behind an ISP-provided router
> box where ports 500 and 4500 have been NAT - forwarded, both on TCP and
> UDP. My computer external address is 93.XXX.XXX.XXX and the local network
> the computer is on has ranges 192.168.1.XXX, the specific machine having ip
> 192.168.1.104. On the other side, a Cisco ASA 5520 is used to create the
> VPN on an external ip address of 83.XXX.XXX.XXX.
> >
> > Strongswan was installed with the following command line
> >
> > sudo apt-get install strongswan strongswan-plugin-af-alg
> strongswan-plugin-agent strongswan-plugin-certexpire
> strongswan-plugin-coupling strongswan-plugin-curl strongswan-plugin-dhcp
> strongswan-plugin-duplicheck strongswan-plugin-eap-aka
> strongswan-plugin-eap-aka-3gpp2 strongswan-plugin-eap-dynamic
> strongswan-plugin-eap-gtc strongswan-plugin-eap-mschapv2
> strongswan-plugin-eap-peap strongswan-plugin-eap-radius
> strongswan-plugin-eap-tls strongswan-plugin-eap-ttls
> strongswan-plugin-error-notify strongswan-plugin-farp
> strongswan-plugin-fips-prf strongswan-plugin-gcrypt strongswan-plugin-gmp
> strongswan-plugin-ipseckey strongswan-plugin-kernel-libipsec
> strongswan-plugin-ldap strongswan-plugin-led strongswan-plugin-load-tester
> strongswan-plugin-lookip strongswan-plugin-ntru strongswan-plugin-pgp
> strongswan-plugin-pkcs11 strongswan-plugin-pubkey strongswan-plugin-radattr
> strongswan-plugin-sshkey strongswan-plugin-systime-fix
> strongswan-plugin-whitelist strongswan-plugin-xauth-eap
> > strongswan-plugin-xauth-generic strongswan-plugin-xauth-noauth
> strongswan-plugin-xauth-pam
>
> Never do that unless you need the package and know what it does. There are
> packets that cause very hard problems and obstacles when installed without
> reason, e.g. "strongswan-plugin-kernel-libipsec". Remove that package.
>
>
> > ============================================================
> > /etc/ipsec.conf
> > ============================================================
> > # ipsec.conf - strongSwan IPsec configuration file
> >
> > # basic configuration
> >
> > config setup
> > # strictcrlpolicy=yes
> > # uniqueids = no
> >
> > # Add connections here.
> >
> > # Sample VPN connections
> >
> > #conn sample-self-signed
> > # leftsubnet=10.1.0.0/16 <http://10.1.0.0/16>
> > # leftcert=selfCert.der
> > # leftsendcert=never
> > # right=192.168.0.2
> > # rightsubnet=10.2.0.0/16 <http://10.2.0.0/16>
> > # rightcert=peerCert.der
> > # auto=start
> >
> > #conn sample-with-ca-cert
> > # leftsubnet=10.1.0.0/16 <http://10.1.0.0/16>
> > # leftcert=myCert.pem
> > # right=192.168.0.2
> > # rightsubnet=10.2.0.0/16 <http://10.2.0.0/16>
> > # rightid="C=CH, O=Linux strongSwan CN=peer name"
> > # auto=start
> >
> > conn %default
> > ikelifetime=1440m
> > keylife=60m
> > rekeymargin=3m
> > keyingtries=1
> > keyexchange=ikev1
> > authby=secret
> >
> > conn ciscoios
> > left=93.XXX.XXX.XXX #strongswan outside address
> > leftsubnet=172.31.17.0/28 <http://172.31.17.0/28>
> #network behind strongswan
> > leftid=93.XXX.XXX.XXX #IKEID sent by strongswan
> > leftfirewall=no
> > right=83.XXX.XXX.XXX #IOS outside address
> > rightsubnet=172.21.148.0/28 <http://172.21.148.0/28>
> #network behind IOS
> > rightid=83.XXX.XXX.XXX #IKEID sent by IOS
> > auto=add
> > ike=aes256-sha-modp1024 #P1: modp1024 = DH group 2
> > esp=aes256-sha1 #P2
>
> DH group 2 is broken[6]. Avoid it.
> In any case, use auto=route, don't set "left", "leftfirewall" is
> superfluous, rightid does not need to be set in your case and try to use
> PFS. It's basically free and it is good practice to use it.
> Remove anything above the "conn ciscoios" section and move
> "keyexchange=ikev1" into "conn ciscoios". Set "keyingtries=%forever",
> "leftauth=psk" and "rightauth=psk".
>
> > thyfate at DataLearning-001:~$ sudo ipsec statusall
> > [sudo] password for thyfate:
> > Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.16.0-77-generic,
> x86_64):
> > uptime: 42 days, since Jul 24 07:41:43 2017
> > malloc: sbrk 2904064, mmap 266240, used 581776, free 2322288
> > worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 1
> > loaded plugins: charon test-vectors curl unbound ldap pkcs11 aes rc2
> sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pubkey
> pkcs1 pkcs7 pkcs8 pkcs12 pgp sshkey ipseckey pem openssl gcrypt af-alg
> fips-prf gmp xcbc cmac hmac ctr ccm gcm ntru attr kernel-netlink resolve
> socket-default farp stroke updown eap-identity eap-aka eap-aka-3gpp2
> eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap
> xauth-generic xauth-eap xauth-noauth dhcp whitelist lookip error-notify
> certexpire led duplicheck radattr addrblock
> > Listening IP addresses:
> > 192.168.1.104
> > Connections:
> > ciscoios: 93.XXX.XXX.XXX...83.XXX.XXX.XXX IKEv1
> > ciscoios: local: [93.XXX.XXX.XXX] uses pre-shared key
> authentication
> > ciscoios: remote: [83.XXX.XXX.XXX] uses pre-shared key
> authentication
> > ciscoios: child: 0.0.0.0/0 <http://0.0.0.0/0> === 172.21.148.0/28
> <http://172.21.148.0/28> TUNNEL
>
> The local TS does not match your configuration (0.0.0.0/0 <=>
> 172.31.17.0/28). Do not try to use larger traffic selectors than
> requested by the administrator
> of the other peer. Other IKE software does not implement IKEv1 traffic
> selector narrowing, so this configuration will throw errors, because the
> subnets are different from the ones configured,
> if the remote peer is for example a Cisco or Juniper device.
>
> > Security Associations (1 up, 0 connecting):
> > ciscoios[3554]: CONNECTING, 93.XXX.XXX.XXX[%any]...83.XXX.
> XXX.XXX[%any]
> > ciscoios[3554]: IKEv1 SPIs: 1b151f2a679038df_i* 0000000000000000_r
> > ciscoios[3554]: Tasks queued: QUICK_MODE
> > ciscoios[3554]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE
> MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
> >
>
> > thyfate at DataLearning-001:~$ sudo iptables-save
> > # Generated by iptables-save v1.4.21 on Mon Sep 4 08:39:12 2017
> > *nat
> > :PREROUTING ACCEPT [14381:2557534]
> > :INPUT ACCEPT [14224:2540988]
> > :OUTPUT ACCEPT [18294:1425542]
> > :POSTROUTING ACCEPT [18294:1425542]
> > -A POSTROUTING -s 172.31.17.0/28 <http://172.31.17.0/28> -o eth0 -j
> MASQUERADE
>
> That rule will cause problems. Read the article about NAT problems[7] and
> then apply the rule to fix it.
>
> > COMMIT
> > # Completed on Mon Sep 4 08:39:12 2017
> > # Generated by iptables-save v1.4.21 on Mon Sep 4 08:39:12 2017
> > *filter
> > :INPUT ACCEPT [676542:524740723]
> > :FORWARD ACCEPT [0:0]
>
> The counters are suspiciously low. Check if forwarding is enabled. Fix it
> appropriately following the article about forwarding[5].
>
> > :OUTPUT ACCEPT [434134:197554510]
> > :fail2ban-ssh - [0:0]
> > -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
> > -A fail2ban-ssh -j RETURN
> > COMMIT
> > # Completed on Mon Sep 4 08:39:12 2017
> >
>
> Kind regards
>
> Noel
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/
> ConfigurationExamples
> [2] https://wiki.strongswan.org/projects/strongswan/wiki/
> ConfigurationExamplesNotes
> [3] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
> [4] https://wiki.strongswan.org/projects/strongswan/wiki/
> IntroductionTostrongSwan
> [5] https://wiki.strongswan.org/projects/strongswan/wiki/
> ForwardingAndSplitTunneling
> [6] https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Logjam
> (Read the paragraph titled "LogJam")
> [7] https://wiki.strongswan.org/projects/strongswan/wiki/
> ForwardingAndSplitTunneling#General-NAT-problems
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171024/7c4c4b7b/attachment-0001.html>
More information about the Users
mailing list