[strongSwan] Help with IKEv1 Site-to-site PSK IPv4
Charles-Antoine Giuliani
thethyfate at gmail.com
Mon Sep 4 20:20:02 CEST 2017
Hi to all,
I am trying to configure a VPN, site to site, with IKEV1 and a preshared
key on IPv4.
I followed the configuration at
https://www.strongswan.org/testing/testresults/ikev1/net2net-psk/
(closest configuration I could find, though the examples seem to have been
designed for local networks)
However the computer does not manage to connect
thyfate at DataLearning-001:~$ sudo ipsec start
Starting strongSwan 5.1.2 IPsec [starter]...
charon is already running (/var/run/charon.pid exists) -- skipping daemon
start
starter is already running (/var/run/starter.charon.pid exists) -- no fork
done
thyfate at DataLearning-001:~$ sudo ipsec up ciscoios
initiating Main Mode IKE_SA ciscoios[3554] to 83.XXX.XXX.XXX
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes)
sending retransmit 2 of request message ID 0, seq 1
sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes)
sending retransmit 3 of request message ID 0, seq 1
sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes)
sending retransmit 4 of request message ID 0, seq 1
sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes)
sending retransmit 5 of request message ID 0, seq 1
sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes)
giving up after 5 retransmits
establishing IKE_SA failed, peer not responding
establishing connection 'ciscoios' failed
Any help would be greatly appreciated !
Thanks in advance,
Below some details on the setup:
I am using Ubuntu 14.04. My computer is behind an ISP-provided router box
where ports 500 and 4500 have been NAT - forwarded, both on TCP and UDP. My
computer external address is 93.XXX.XXX.XXX and the local network the
computer is on has ranges 192.168.1.XXX, the specific machine having ip
192.168.1.104. On the other side, a Cisco ASA 5520 is used to create the
VPN on an external ip address of 83.XXX.XXX.XXX.
Strongswan was installed with the following command line
sudo apt-get install strongswan strongswan-plugin-af-alg
strongswan-plugin-agent strongswan-plugin-certexpire
strongswan-plugin-coupling strongswan-plugin-curl strongswan-plugin-dhcp
strongswan-plugin-duplicheck strongswan-plugin-eap-aka
strongswan-plugin-eap-aka-3gpp2 strongswan-plugin-eap-dynamic
strongswan-plugin-eap-gtc strongswan-plugin-eap-mschapv2
strongswan-plugin-eap-peap strongswan-plugin-eap-radius
strongswan-plugin-eap-tls strongswan-plugin-eap-ttls
strongswan-plugin-error-notify strongswan-plugin-farp
strongswan-plugin-fips-prf strongswan-plugin-gcrypt strongswan-plugin-gmp
strongswan-plugin-ipseckey strongswan-plugin-kernel-libipsec
strongswan-plugin-ldap strongswan-plugin-led strongswan-plugin-load-tester
strongswan-plugin-lookip strongswan-plugin-ntru strongswan-plugin-pgp
strongswan-plugin-pkcs11 strongswan-plugin-pubkey strongswan-plugin-radattr
strongswan-plugin-sshkey strongswan-plugin-systime-fix
strongswan-plugin-whitelist strongswan-plugin-xauth-eap
strongswan-plugin-xauth-generic strongswan-plugin-xauth-noauth
strongswan-plugin-xauth-pam
The following configuration files are used:
============================================================
/etc/strongswan.conf
============================================================
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
============================================================
/etc/ipsec.conf
============================================================
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# auto=start
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
conn ciscoios
left=93.XXX.XXX.XXX #strongswan outside address
leftsubnet=172.31.17.0/28 #network behind strongswan
leftid=93.XXX.XXX.XXX #IKEID sent by strongswan
leftfirewall=no
right=83.XXX.XXX.XXX #IOS outside address
rightsubnet=172.21.148.0/28 #network behind IOS
rightid=83.XXX.XXX.XXX #IKEID sent by IOS
auto=add
ike=aes256-sha-modp1024 #P1: modp1024 = DH group 2
esp=aes256-sha1 #P2
============================================================
/etc/ipsec.secrets
============================================================
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
83.XXX.XXX.XXX : PSK "XXXXXX"
============================================================
Various command line results
============================================================
thyfate at DataLearning-001:~$ sudo ipsec --version
Linux strongSwan U5.1.2/K3.16.0-77-generic
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
thyfate at DataLearning-001:~$ sudo ipsec statusall
[sudo] password for thyfate:
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.16.0-77-generic,
x86_64):
uptime: 42 days, since Jul 24 07:41:43 2017
malloc: sbrk 2904064, mmap 266240, used 581776, free 2322288
worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0,
scheduled: 1
loaded plugins: charon test-vectors curl unbound ldap pkcs11 aes rc2 sha1
sha2 md4 md5 rdrand random nonce x509 revocation constraints pubkey pkcs1
pkcs7 pkcs8 pkcs12 pgp sshkey ipseckey pem openssl gcrypt af-alg fips-prf
gmp xcbc cmac hmac ctr ccm gcm ntru attr kernel-netlink resolve
socket-default farp stroke updown eap-identity eap-aka eap-aka-3gpp2
eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap
xauth-generic xauth-eap xauth-noauth dhcp whitelist lookip error-notify
certexpire led duplicheck radattr addrblock
Listening IP addresses:
192.168.1.104
Connections:
ciscoios: 93.XXX.XXX.XXX...83.XXX.XXX.XXX IKEv1
ciscoios: local: [93.XXX.XXX.XXX] uses pre-shared key authentication
ciscoios: remote: [83.XXX.XXX.XXX] uses pre-shared key authentication
ciscoios: child: 0.0.0.0/0 === 172.21.148.0/28 TUNNEL
Security Associations (1 up, 0 connecting):
ciscoios[3554]: CONNECTING, 93.XXX.XXX.XXX[%any]...83.XXX.XXX.XXX[%any]
ciscoios[3554]: IKEv1 SPIs: 1b151f2a679038df_i* 0000000000000000_r
ciscoios[3554]: Tasks queued: QUICK_MODE
ciscoios[3554]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE
ISAKMP_CERT_POST ISAKMP_NATD
thyfate at DataLearning-001:~$ sudo ipsec listall
[sudo] password for thyfate:
List of registered IKE algorithms:
encryption: DES_CBC[openssl] 3DES_CBC[openssl] CAST_CBC[openssl]
BLOWFISH_CBC[openssl] NULL[openssl] AES_CBC[aes]
AES_CTR[gcrypt] CAMELLIA_CBC[openssl] CAMELLIA_CTR[gcrypt]
DES_ECB[openssl] SERPENT_CBC[gcrypt]
TWOFISH_CBC[gcrypt] RC2_CBC[rc2]
integrity: HMAC_MD5_96[openssl] HMAC_SHA1_96[openssl]
AES_XCBC_96[af-alg] HMAC_MD5_128[openssl]
HMAC_SHA1_160[openssl] AES_CMAC_96[cmac]
HMAC_SHA2_256_128[openssl] HMAC_SHA2_384_192[openssl]
HMAC_SHA2_512_256[openssl] HMAC_SHA1_128[openssl]
HMAC_SHA2_256_96[af-alg] HMAC_SHA2_256_256[openssl]
HMAC_SHA2_384_384[openssl] HMAC_SHA2_512_512[openssl]
CAMELLIA_XCBC_96[af-alg]
aead: AES_CCM_8[ccm] AES_CCM_12[ccm] AES_CCM_16[ccm]
AES_GCM_8[openssl] AES_GCM_12[openssl] AES_GCM_16[openssl]
CAMELLIA_CCM_8[ccm] CAMELLIA_CCM_12[ccm] CAMELLIA_CCM_16[ccm]
hasher: HASH_MD4[md4] HASH_MD5[md5] HASH_SHA1[sha1] HASH_SHA224[sha2]
HASH_SHA256[sha2] HASH_SHA384[sha2]
HASH_SHA512[sha2]
prf: PRF_HMAC_MD5[openssl] PRF_HMAC_SHA1[openssl]
PRF_AES128_XCBC[af-alg] PRF_HMAC_SHA2_256[openssl]
PRF_HMAC_SHA2_384[openssl] PRF_HMAC_SHA2_512[openssl]
PRF_AES128_CMAC[cmac] PRF_FIPS_SHA1_160[fips-prf]
PRF_KEYED_SHA1[sha1] PRF_CAMELLIA128_XCBC[af-alg]
dh-group: MODP_768[openssl] MODP_1024[openssl] MODP_1536[openssl]
MODP_2048[openssl] MODP_3072[openssl]
MODP_4096[openssl] MODP_6144[openssl] MODP_8192[openssl]
ECP_256[openssl] ECP_384[openssl]
ECP_521[openssl] MODP_1024_160[openssl]
MODP_2048_224[openssl] MODP_2048_256[openssl] ECP_192[openssl]
ECP_224[openssl] ECP_224_BP[openssl] ECP_256_BP[openssl]
ECP_384_BP[openssl] ECP_512_BP[openssl]
NTRU_112[ntru] NTRU_128[ntru] NTRU_192[ntru] NTRU_256[ntru]
MODP_CUSTOM[openssl]
random-gen: RNG_WEAK[rdrand] RNG_STRONG[rdrand] RNG_TRUE[rdrand]
nonce-gen: [nonce]
List of loaded Plugins:
charon:
CUSTOM:libcharon
NONCE_GEN
CUSTOM:libcharon-receiver
CUSTOM:kernel-ipsec
CUSTOM:kernel-net
CUSTOM:libcharon-receiver
HASHER:HASH_SHA1
RNG:RNG_STRONG
CUSTOM:socket
test-vectors:
CUSTOM:test-vectors
curl:
FETCHER:file://
FETCHER:http://
FETCHER:https://
FETCHER:ftp://
unbound:
RESOLVER
ldap:
FETCHER:ldap://
FETCHER:ldaps://
pkcs11:
CUSTOM:pkcs11-certs
CERT_DECODE:X509
PRIVKEY:ANY
aes:
CRYPTER:AES_CBC-16
CRYPTER:AES_CBC-24
CRYPTER:AES_CBC-32
rc2:
CRYPTER:RC2_CBC-0
sha1:
HASHER:HASH_SHA1
PRF:PRF_KEYED_SHA1
sha2:
HASHER:HASH_SHA224
HASHER:HASH_SHA256
HASHER:HASH_SHA384
HASHER:HASH_SHA512
md4:
HASHER:HASH_MD4
md5:
HASHER:HASH_MD5
rdrand:
RNG:RNG_WEAK
RNG:RNG_STRONG
RNG:RNG_TRUE
CRYPTER:AES_CBC-16
random:
RNG:RNG_STRONG
RNG:RNG_TRUE
nonce:
NONCE_GEN
RNG:RNG_WEAK
x509:
CERT_ENCODE:X509
HASHER:HASH_SHA1
CERT_DECODE:X509
HASHER:HASH_SHA1
PUBKEY:RSA (soft)
PUBKEY:ECDSA (soft)
PUBKEY:DSA (soft)
CERT_ENCODE:X509_AC
CERT_DECODE:X509_AC
CERT_ENCODE:X509_CRL
CERT_DECODE:X509_CRL
CERT_ENCODE:X509_OCSP_REQUEST
HASHER:HASH_SHA1
RNG:RNG_WEAK
CERT_DECODE:X509_OCSP_RESPONSE
CERT_ENCODE:PKCS10_REQUEST
CERT_DECODE:PKCS10_REQUEST
revocation:
CUSTOM:revocation
CERT_ENCODE:X509_OCSP_REQUEST (soft)
CERT_DECODE:X509_OCSP_RESPONSE (soft)
CERT_DECODE:X509_CRL (soft)
CERT_DECODE:X509 (soft)
FETCHER:(null) (soft)
constraints:
CUSTOM:constraints
CERT_DECODE:X509 (soft)
pubkey:
CERT_ENCODE:TRUSTED_PUBKEY
CERT_DECODE:TRUSTED_PUBKEY
PUBKEY:RSA (soft)
PUBKEY:ECDSA (soft)
PUBKEY:DSA (soft)
pkcs1:
PRIVKEY:RSA
PUBKEY:ANY
PUBKEY:RSA
pkcs7:
CONTAINER_DECODE:PKCS7
CONTAINER_ENCODE:PKCS7_DATA
CONTAINER_ENCODE:PKCS7_SIGNED_DATA
CONTAINER_ENCODE:PKCS7_ENVELOPED_DATA
pkcs8:
PRIVKEY:ANY
PRIVKEY:RSA
PRIVKEY:ECDSA
pkcs12:
CONTAINER_DECODE:PKCS12
CONTAINER_DECODE:PKCS7
CERT_DECODE:X509 (soft)
PRIVKEY:ANY (soft)
HASHER:HASH_SHA1 (soft)
CRYPTER:3DES_CBC-24 (soft)
CRYPTER:RC2_CBC-0 (soft)
pgp:
PRIVKEY:ANY
PRIVKEY:RSA
PUBKEY:ANY
PUBKEY:RSA
CERT_DECODE:PGP
sshkey:
PUBKEY:ANY
ipseckey:
CUSTOM:ipseckey
RESOLVER
PUBKEY:RSA
CERT_ENCODE:TRUSTED_PUBKEY
pem:
PRIVKEY:ANY
PRIVKEY:ANY
HASHER:HASH_MD5 (soft)
PRIVKEY:RSA
PRIVKEY:RSA
HASHER:HASH_MD5 (soft)
PRIVKEY:ECDSA
PRIVKEY:ECDSA
HASHER:HASH_MD5 (soft)
PRIVKEY:DSA (not loaded)
PRIVKEY:DSA
HASHER:HASH_MD5 (soft)
PUBKEY:ANY
PUBKEY:ANY
PUBKEY:RSA
PUBKEY:RSA
PUBKEY:ECDSA
PUBKEY:ECDSA
PUBKEY:DSA (not loaded)
PUBKEY:DSA
CERT_DECODE:ANY
CERT_DECODE:X509 (soft)
CERT_DECODE:PGP (soft)
CERT_DECODE:X509
CERT_DECODE:X509
CERT_DECODE:X509_CRL
CERT_DECODE:X509_CRL
CERT_DECODE:X509_OCSP_REQUEST (not loaded)
CERT_DECODE:X509_OCSP_REQUEST
CERT_DECODE:X509_OCSP_RESPONSE
CERT_DECODE:X509_OCSP_RESPONSE
CERT_DECODE:X509_AC
CERT_DECODE:X509_AC
CERT_DECODE:PKCS10_REQUEST
CERT_DECODE:PKCS10_REQUEST
CERT_DECODE:TRUSTED_PUBKEY
CERT_DECODE:TRUSTED_PUBKEY
CERT_DECODE:PGP
CERT_DECODE:PGP
CONTAINER_DECODE:PKCS12
CONTAINER_DECODE:PKCS12
openssl:
CRYPTER:AES_CBC-16
CRYPTER:AES_CBC-24
CRYPTER:AES_CBC-32
CRYPTER:CAMELLIA_CBC-16
CRYPTER:CAMELLIA_CBC-24
CRYPTER:CAMELLIA_CBC-32
CRYPTER:CAST_CBC-0
CRYPTER:BLOWFISH_CBC-0
CRYPTER:3DES_CBC-24
CRYPTER:DES_CBC-8
CRYPTER:DES_ECB-8
CRYPTER:NULL-0
HASHER:HASH_MD4
HASHER:HASH_MD5
HASHER:HASH_SHA1
HASHER:HASH_SHA224
HASHER:HASH_SHA256
HASHER:HASH_SHA384
HASHER:HASH_SHA512
PRF:PRF_KEYED_SHA1
PRF:PRF_HMAC_MD5
PRF:PRF_HMAC_SHA1
PRF:PRF_HMAC_SHA2_256
PRF:PRF_HMAC_SHA2_384
PRF:PRF_HMAC_SHA2_512
SIGNER:HMAC_MD5_96
SIGNER:HMAC_MD5_128
SIGNER:HMAC_SHA1_96
SIGNER:HMAC_SHA1_128
SIGNER:HMAC_SHA1_160
SIGNER:HMAC_SHA2_256_128
SIGNER:HMAC_SHA2_256_256
SIGNER:HMAC_SHA2_384_192
SIGNER:HMAC_SHA2_384_384
SIGNER:HMAC_SHA2_512_256
SIGNER:HMAC_SHA2_512_512
AEAD:AES_GCM_8-16
AEAD:AES_GCM_8-24
AEAD:AES_GCM_8-32
AEAD:AES_GCM_12-16
AEAD:AES_GCM_12-24
AEAD:AES_GCM_12-32
AEAD:AES_GCM_16-16
AEAD:AES_GCM_16-24
AEAD:AES_GCM_16-32
DH:MODP_2048
DH:MODP_2048_224
DH:MODP_2048_256
DH:MODP_1536
DH:MODP_3072
DH:MODP_4096
DH:MODP_6144
DH:MODP_8192
DH:MODP_1024
DH:MODP_1024_160
DH:MODP_768
DH:MODP_CUSTOM
PRIVKEY:RSA
PRIVKEY:ANY
PRIVKEY_GEN:RSA
PUBKEY:RSA
PUBKEY:ANY
PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL
PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512
PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5
PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5
PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1
PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1
CERT_DECODE:X509
PUBKEY:RSA (soft)
PUBKEY:ECDSA (soft)
PUBKEY:DSA (soft)
CERT_DECODE:X509_CRL
CONTAINER_DECODE:PKCS7
CONTAINER_DECODE:PKCS12
DH:ECP_256
DH:ECP_384
DH:ECP_521
DH:ECP_224
DH:ECP_192
DH:ECP_224_BP
DH:ECP_256_BP
DH:ECP_384_BP
DH:ECP_512_BP
PRIVKEY:ECDSA
PRIVKEY_GEN:ECDSA
PUBKEY:ECDSA
PRIVKEY_SIGN:ECDSA_WITH_NULL
PUBKEY_VERIFY:ECDSA_WITH_NULL
PRIVKEY_SIGN:ECDSA_WITH_SHA1_DER
PUBKEY_VERIFY:ECDSA_WITH_SHA1_DER
PRIVKEY_SIGN:ECDSA_WITH_SHA256_DER
PUBKEY_VERIFY:ECDSA_WITH_SHA256_DER
PRIVKEY_SIGN:ECDSA-256
PUBKEY_VERIFY:ECDSA-256
PRIVKEY_SIGN:ECDSA_WITH_SHA384_DER
PRIVKEY_SIGN:ECDSA_WITH_SHA512_DER
PUBKEY_VERIFY:ECDSA_WITH_SHA384_DER
PUBKEY_VERIFY:ECDSA_WITH_SHA512_DER
PRIVKEY_SIGN:ECDSA-384
PRIVKEY_SIGN:ECDSA-521
PUBKEY_VERIFY:ECDSA-384
PUBKEY_VERIFY:ECDSA-521
RNG:RNG_STRONG
RNG:RNG_WEAK
gcrypt:
CRYPTER:AES_CTR-16
CRYPTER:AES_CTR-24
CRYPTER:AES_CTR-32
CRYPTER:AES_CBC-16
CRYPTER:AES_CBC-24
CRYPTER:AES_CBC-32
CRYPTER:BLOWFISH_CBC-16
CRYPTER:CAMELLIA_CTR-16
CRYPTER:CAMELLIA_CTR-24
CRYPTER:CAMELLIA_CTR-32
CRYPTER:CAMELLIA_CBC-16
CRYPTER:CAMELLIA_CBC-24
CRYPTER:CAMELLIA_CBC-32
CRYPTER:CAST_CBC-0
CRYPTER:3DES_CBC-24
CRYPTER:DES_CBC-8
CRYPTER:DES_ECB-8
CRYPTER:SERPENT_CBC-16
CRYPTER:SERPENT_CBC-24
CRYPTER:SERPENT_CBC-32
CRYPTER:TWOFISH_CBC-16
CRYPTER:TWOFISH_CBC-32
HASHER:HASH_MD4
HASHER:HASH_MD5
HASHER:HASH_SHA1
HASHER:HASH_SHA224
HASHER:HASH_SHA256
HASHER:HASH_SHA384
HASHER:HASH_SHA512
DH:MODP_2048
DH:MODP_2048_224
DH:MODP_2048_256
DH:MODP_1536
DH:MODP_3072
DH:MODP_4096
DH:MODP_6144
DH:MODP_8192
DH:MODP_1024
DH:MODP_1024_160
DH:MODP_768
DH:MODP_CUSTOM
PUBKEY:RSA
PRIVKEY:RSA
PRIVKEY_GEN:RSA
RNG:RNG_WEAK
RNG:RNG_STRONG
RNG:RNG_TRUE
af-alg:
HASHER:HASH_MD4
HASHER:HASH_MD5
HASHER:HASH_SHA1
HASHER:HASH_SHA224
HASHER:HASH_SHA256
HASHER:HASH_SHA384
HASHER:HASH_SHA512
SIGNER:HMAC_SHA1_96
SIGNER:HMAC_SHA1_128
SIGNER:HMAC_SHA1_160
SIGNER:HMAC_SHA2_256_96
SIGNER:HMAC_SHA2_256_128
SIGNER:HMAC_MD5_96
SIGNER:HMAC_MD5_128
SIGNER:HMAC_SHA2_256_256
SIGNER:HMAC_SHA2_384_192
SIGNER:HMAC_SHA2_384_384
SIGNER:HMAC_SHA2_512_256
SIGNER:HMAC_SHA2_512_512
SIGNER:AES_XCBC_96
SIGNER:CAMELLIA_XCBC_96
PRF:PRF_HMAC_SHA1
PRF:PRF_HMAC_SHA2_256
PRF:PRF_HMAC_MD5
PRF:PRF_HMAC_SHA2_384
PRF:PRF_HMAC_SHA2_512
PRF:PRF_AES128_XCBC
PRF:PRF_CAMELLIA128_XCBC
CRYPTER:DES_CBC-8
CRYPTER:DES_ECB-8
CRYPTER:3DES_CBC-24
CRYPTER:AES_CBC-16
CRYPTER:AES_CBC-24
CRYPTER:AES_CBC-32
CRYPTER:AES_CTR-16
CRYPTER:AES_CTR-24
CRYPTER:AES_CTR-32
CRYPTER:CAMELLIA_CBC-16
CRYPTER:CAMELLIA_CBC-24
CRYPTER:CAMELLIA_CBC-32
CRYPTER:CAMELLIA_CTR-16
CRYPTER:CAMELLIA_CTR-24
CRYPTER:CAMELLIA_CTR-32
CRYPTER:CAST_CBC-16
CRYPTER:BLOWFISH_CBC-16
CRYPTER:BLOWFISH_CBC-24
CRYPTER:BLOWFISH_CBC-32
CRYPTER:SERPENT_CBC-16
CRYPTER:SERPENT_CBC-24
CRYPTER:SERPENT_CBC-32
CRYPTER:TWOFISH_CBC-16
CRYPTER:TWOFISH_CBC-24
CRYPTER:TWOFISH_CBC-32
fips-prf:
PRF:PRF_FIPS_SHA1_160
PRF:PRF_KEYED_SHA1
gmp:
DH:MODP_2048
RNG:RNG_STRONG
DH:MODP_2048_224
RNG:RNG_STRONG
DH:MODP_2048_256
RNG:RNG_STRONG
DH:MODP_1536
RNG:RNG_STRONG
DH:MODP_3072
RNG:RNG_STRONG
DH:MODP_4096
RNG:RNG_STRONG
DH:MODP_6144
RNG:RNG_STRONG
DH:MODP_8192
RNG:RNG_STRONG
DH:MODP_1024
RNG:RNG_STRONG
DH:MODP_1024_160
RNG:RNG_STRONG
DH:MODP_768
RNG:RNG_STRONG
DH:MODP_CUSTOM
RNG:RNG_STRONG
PRIVKEY:RSA
PRIVKEY_GEN:RSA
RNG:RNG_TRUE
PUBKEY:RSA
PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1
HASHER:HASH_SHA1
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224
HASHER:HASH_SHA224
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256
HASHER:HASH_SHA256
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384
HASHER:HASH_SHA384
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512
HASHER:HASH_SHA512
PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5
HASHER:HASH_MD5
PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1
HASHER:HASH_SHA1
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224
HASHER:HASH_SHA224
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256
HASHER:HASH_SHA256
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384
HASHER:HASH_SHA384
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512
HASHER:HASH_SHA512
PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5
HASHER:HASH_MD5
PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1
PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1
RNG:RNG_WEAK
xcbc:
PRF:PRF_AES128_XCBC
CRYPTER:AES_CBC-16
PRF:PRF_CAMELLIA128_XCBC
CRYPTER:CAMELLIA_CBC-16
SIGNER:CAMELLIA_XCBC_96
CRYPTER:CAMELLIA_CBC-16
SIGNER:AES_XCBC_96
CRYPTER:AES_CBC-16
cmac:
PRF:PRF_AES128_CMAC
CRYPTER:AES_CBC-16
SIGNER:AES_CMAC_96
CRYPTER:AES_CBC-16
hmac:
PRF:PRF_HMAC_SHA1
HASHER:HASH_SHA1
PRF:PRF_HMAC_MD5
HASHER:HASH_MD5
PRF:PRF_HMAC_SHA2_256
HASHER:HASH_SHA256
PRF:PRF_HMAC_SHA2_384
HASHER:HASH_SHA384
PRF:PRF_HMAC_SHA2_512
HASHER:HASH_SHA512
SIGNER:HMAC_SHA1_96
HASHER:HASH_SHA1
SIGNER:HMAC_SHA1_128
HASHER:HASH_SHA1
SIGNER:HMAC_SHA1_160
HASHER:HASH_SHA1
SIGNER:HMAC_MD5_96
HASHER:HASH_MD5
SIGNER:HMAC_MD5_128
HASHER:HASH_MD5
SIGNER:HMAC_SHA2_256_128
HASHER:HASH_SHA256
SIGNER:HMAC_SHA2_256_256
HASHER:HASH_SHA256
SIGNER:HMAC_SHA2_384_192
HASHER:HASH_SHA384
SIGNER:HMAC_SHA2_384_384
HASHER:HASH_SHA384
SIGNER:HMAC_SHA2_512_256
HASHER:HASH_SHA512
SIGNER:HMAC_SHA2_512_512
HASHER:HASH_SHA512
ctr:
CRYPTER:AES_CTR-16
CRYPTER:AES_CBC-16
CRYPTER:AES_CTR-24
CRYPTER:AES_CBC-24
CRYPTER:AES_CTR-32
CRYPTER:AES_CBC-32
CRYPTER:CAMELLIA_CTR-16
CRYPTER:CAMELLIA_CBC-16
CRYPTER:CAMELLIA_CTR-24
CRYPTER:CAMELLIA_CBC-24
CRYPTER:CAMELLIA_CTR-32
CRYPTER:CAMELLIA_CBC-32
ccm:
AEAD:AES_CCM_8-16
CRYPTER:AES_CBC-16
AEAD:AES_CCM_8-24
CRYPTER:AES_CBC-24
AEAD:AES_CCM_8-32
CRYPTER:AES_CBC-32
AEAD:AES_CCM_12-16
CRYPTER:AES_CBC-16
AEAD:AES_CCM_12-24
CRYPTER:AES_CBC-24
AEAD:AES_CCM_12-32
CRYPTER:AES_CBC-32
AEAD:AES_CCM_16-16
CRYPTER:AES_CBC-16
AEAD:AES_CCM_16-24
CRYPTER:AES_CBC-24
AEAD:AES_CCM_16-32
CRYPTER:AES_CBC-32
AEAD:CAMELLIA_CCM_8-16
CRYPTER:CAMELLIA_CBC-16
AEAD:CAMELLIA_CCM_8-24
CRYPTER:CAMELLIA_CBC-24
AEAD:CAMELLIA_CCM_8-32
CRYPTER:CAMELLIA_CBC-32
AEAD:CAMELLIA_CCM_12-16
CRYPTER:CAMELLIA_CBC-16
AEAD:CAMELLIA_CCM_12-24
CRYPTER:CAMELLIA_CBC-24
AEAD:CAMELLIA_CCM_12-32
CRYPTER:CAMELLIA_CBC-32
AEAD:CAMELLIA_CCM_16-16
CRYPTER:CAMELLIA_CBC-16
AEAD:CAMELLIA_CCM_16-24
CRYPTER:CAMELLIA_CBC-24
AEAD:CAMELLIA_CCM_16-32
CRYPTER:CAMELLIA_CBC-32
gcm:
AEAD:AES_GCM_8-16
CRYPTER:AES_CBC-16
AEAD:AES_GCM_8-24
CRYPTER:AES_CBC-24
AEAD:AES_GCM_8-32
CRYPTER:AES_CBC-32
AEAD:AES_GCM_12-16
CRYPTER:AES_CBC-16
AEAD:AES_GCM_12-24
CRYPTER:AES_CBC-24
AEAD:AES_GCM_12-32
CRYPTER:AES_CBC-32
AEAD:AES_GCM_16-16
CRYPTER:AES_CBC-16
AEAD:AES_GCM_16-24
CRYPTER:AES_CBC-24
AEAD:AES_GCM_16-32
CRYPTER:AES_CBC-32
ntru:
DH:NTRU_112
DH:NTRU_128
DH:NTRU_192
DH:NTRU_256
RNG:RNG_TRUE
SIGNER:HMAC_SHA2_256_256
HASHER:HASH_SHA256
HASHER:HASH_SHA1 (soft)
attr:
CUSTOM:attr
kernel-netlink:
CUSTOM:kernel-ipsec
CUSTOM:kernel-net
resolve:
CUSTOM:resolve
socket-default:
CUSTOM:socket
CUSTOM:kernel-ipsec (soft)
farp:
CUSTOM:farp
stroke:
CUSTOM:stroke
PRIVKEY:RSA (soft)
PRIVKEY:ECDSA (soft)
PRIVKEY:DSA (soft)
CERT_DECODE:ANY (soft)
CERT_DECODE:X509 (soft)
CERT_DECODE:X509_CRL (soft)
CERT_DECODE:X509_AC (soft)
CERT_DECODE:TRUSTED_PUBKEY (soft)
updown:
CUSTOM:updown
eap-identity:
EAP_SERVER:ID
EAP_CLIENT:ID
eap-aka:
CUSTOM:aka-manager
EAP_SERVER:AKA
RNG:RNG_WEAK
HASHER:HASH_SHA1
PRF:PRF_FIPS_SHA1_160
SIGNER:HMAC_SHA1_128
CRYPTER:AES_CBC-16
EAP_CLIENT:AKA
RNG:RNG_WEAK
HASHER:HASH_SHA1
PRF:PRF_FIPS_SHA1_160
SIGNER:HMAC_SHA1_128
CRYPTER:AES_CBC-16
eap-aka-3gpp2:
CUSTOM:eap-aka-3gpp2-functions
PRF:PRF_KEYED_SHA1
CUSTOM:aka-card
CUSTOM:aka-manager
CUSTOM:eap-aka-3gpp2-functions
CUSTOM:aka-provider
CUSTOM:aka-manager
CUSTOM:eap-aka-3gpp2-functions
eap-gtc:
EAP_SERVER:GTC
EAP_CLIENT:GTC
eap-mschapv2:
EAP_SERVER:MSCHAPV2
CRYPTER:DES_ECB-8
HASHER:HASH_MD4
HASHER:HASH_SHA1
RNG:RNG_WEAK
EAP_CLIENT:MSCHAPV2
CRYPTER:DES_ECB-8
HASHER:HASH_MD4
HASHER:HASH_SHA1
RNG:RNG_WEAK
eap-dynamic:
EAP_SERVER:DYN
eap-radius:
EAP_SERVER:RAD
CUSTOM:eap-radius
XAUTH_SERVER:radius
CUSTOM:eap-radius
CUSTOM:eap-radius
HASHER:HASH_MD5
SIGNER:HMAC_MD5_128
RNG:RNG_WEAK
eap-tls:
EAP_SERVER:TLS
HASHER:HASH_MD5
HASHER:HASH_SHA1
RNG:RNG_WEAK
EAP_CLIENT:TLS
HASHER:HASH_MD5
HASHER:HASH_SHA1
RNG:RNG_WEAK
RNG:RNG_STRONG
eap-ttls:
EAP_SERVER:TTLS
EAP_SERVER:ID
HASHER:HASH_MD5
HASHER:HASH_SHA1
RNG:RNG_WEAK
EAP_CLIENT:TTLS
EAP_CLIENT:ID
HASHER:HASH_MD5
HASHER:HASH_SHA1
RNG:RNG_WEAK
RNG:RNG_STRONG
eap-peap:
EAP_SERVER:PEAP
EAP_SERVER:ID
HASHER:HASH_MD5
HASHER:HASH_SHA1
RNG:RNG_WEAK
EAP_CLIENT:PEAP
EAP_CLIENT:ID
HASHER:HASH_MD5
HASHER:HASH_SHA1
RNG:RNG_WEAK
RNG:RNG_STRONG
xauth-generic:
XAUTH_SERVER:generic
XAUTH_CLIENT:generic
xauth-eap:
XAUTH_SERVER:eap
xauth-noauth:
XAUTH_SERVER:noauth
dhcp:
CUSTOM:dhcp
RNG:RNG_WEAK
whitelist:
CUSTOM:whitelist
lookip:
CUSTOM:lookip
error-notify:
CUSTOM:error-notify
certexpire:
CUSTOM:certexpire
led:
CUSTOM:led
duplicheck:
CUSTOM:duplicheck
radattr:
CUSTOM:radattr
addrblock:
CUSTOM:addrblock
CERT_DECODE:X509 (soft)
thyfate at DataLearning-001:~$ sudo ip -s xfrm policy
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 507 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-07-24 07:42:21 use 2017-09-02 10:13:15
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 500 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-07-24 07:42:21 use 2017-09-02 10:13:15
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 491 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-07-24 07:42:21 use 2017-09-04 08:15:37
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 484 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-07-24 07:42:21 use 2017-09-04 02:54:33
src ::/0 dst ::/0 uid 0
socket in action allow index 475 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-07-24 07:42:21 use -
src ::/0 dst ::/0 uid 0
socket out action allow index 468 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-07-24 07:42:21 use -
src ::/0 dst ::/0 uid 0
socket in action allow index 459 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-07-24 07:42:21 use -
src ::/0 dst ::/0 uid 0
socket out action allow index 452 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-07-24 07:42:21 use -
thyfate at DataLearning-001:~$ sudo ip -s xfrm state
thyfate at DataLearning-001:~$ ip route list table 220
thyfate at DataLearning-001:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere multiport
dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
thyfate at DataLearning-001:~$ sudo iptables-save
# Generated by iptables-save v1.4.21 on Mon Sep 4 08:39:12 2017
*nat
:PREROUTING ACCEPT [14381:2557534]
:INPUT ACCEPT [14224:2540988]
:OUTPUT ACCEPT [18294:1425542]
:POSTROUTING ACCEPT [18294:1425542]
-A POSTROUTING -s 172.31.17.0/28 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Sep 4 08:39:12 2017
# Generated by iptables-save v1.4.21 on Mon Sep 4 08:39:12 2017
*filter
:INPUT ACCEPT [676542:524740723]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [434134:197554510]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Mon Sep 4 08:39:12 2017
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170904/8854072d/attachment-0001.html>
More information about the Users
mailing list