[strongSwan] Trying to work out why connection not being established from AWS
Whit Blauvelt
whit at transpect.com
Fri Sep 22 20:13:07 CEST 2017
On Fri, Sep 22, 2017 at 04:49:20PM +0200, Noel Kuntze wrote:
> > Did, and they don't. Perhaps I have to set a log level higher somewhere?
>
> The HelpRequests[1] article contains a good logger configuration you can use.
I see that stanza, and have read the linked wiki page, and it's unclear to
me in what file that stanza goes. On a stock Ubuntu deb install,
/etc/strongswan.d/charon where I presume this goes, has 71 configuration
files in it, none of which currently contains "charon_debug.log" in it. Do I
just make up a file name for which the stanza should be the whole content?
> > First I tried setting that to the LAN IP which connects to the elastic IP,
> > but that didn't work either; failed in just the same way. Also, the elastic
> > IP set does exist on the VM, as it's been assigned as an alias to lo (a
> > trick the libreswan people recommend).
>
> Linux aliases are a deprecated concept. Bind the IP to any local
> interface. Preferably one that can not go down. You can just add it.
> Anyway, charon needs to listen on the IP to be able to send packets from
> it.
I use the word "alias" incorrectly then. It is bound:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 54.69.126.245/32 scope global lo
valid_lft forever preferred_lft forever
> Good configurations are in this[2] article.
Thanks. Found that this morning. That's what my current experience is now based on.
ipsec.conf:
conn sts-base
fragmentation=yes
dpdaction=restart
ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072#
keyingtries=%forever
conn site-1-static-ip
also=sts-base
keyexchange=ikev2
leftsubnet=172.18.0.0/16
rightsubnet=192.168.1.0/24,172.17.0.0/16
right=38.105.201.108
auto=route
rightauth=psk
leftauth=psk
-----
ipsec.conf:
conn sts-base
fragmentation=yes
dpdaction=restart
ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072#
keyingtries=%forever
conn site-1-static-ip
also=sts-base
keyexchange=ikev2
leftsubnet=192.168.1.0/24,172.17.0.0/16
rightsubnet=172.18.0.0/16
right=54.69.126.245
auto=route
rightauth=psk
leftauth=psk
-----
root at ip-172-18-30-93:/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-77-generic, x86_64):
uptime: 41 minutes, since Sep 22 13:08:33 2017
malloc: sbrk 1781760, mmap 0, used 578240, free 1203520
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
Listening IP addresses:
172.18.30.93
172.18.14.157
10.60.30.1
Connections:
site-1-static-ip: %any...38.105.201.108 IKEv2, dpddelay=30s
site-1-static-ip: local: uses pre-shared key authentication
site-1-static-ip: remote: [38.105.201.108] uses pre-shared key authentication
site-1-static-ip: child: 172.18.0.0/16 === 192.168.1.0/24 172.17.0.0/16 TUNNEL, dpdaction=restart
Routed Connections:
site-1-static-ip{1}: ROUTED, TUNNEL, reqid 1
site-1-static-ip{1}: 172.18.0.0/16 === 172.17.0.0/16 192.168.1.0/24
Security Associations (0 up, 1 connecting):
site-1-static-ip[1]: CONNECTING, 172.18.30.93[%any]...38.105.201.108[%any]
site-1-static-ip[1]: IKEv2 SPIs: deb88af4b2622933_i* 0000000000000000_r
site-1-static-ip[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
-----
root at nyfw1:/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-93-generic, x86_64):
uptime: 42 minutes, since Sep 22 13:08:36 2017
malloc: sbrk 2727936, mmap 0, used 581040, free 2146896
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
Listening IP addresses:
38.105.201.102
38.105.201.108
207.239.116.102
172.17.10.3
192.168.100.3
172.17.19.4
Connections:
site-1-static-ip: %any...54.69.126.245 IKEv2, dpddelay=30s
site-1-static-ip: local: uses pre-shared key authentication
site-1-static-ip: remote: [54.69.126.245] uses pre-shared key authentication
site-1-static-ip: child: 192.168.1.0/24 172.17.0.0/16 === 172.18.0.0/16 TUNNEL, dpdaction=restart
Routed Connections:
site-1-static-ip{1}: ROUTED, TUNNEL, reqid 1
site-1-static-ip{1}: 172.17.0.0/16 192.168.1.0/24 === 172.18.0.0/16
Security Associations (0 up, 0 connecting):
none
-----
# Generated by iptables-save v1.6.0 on Fri Sep 22 13:51:50 2017
*mangle
:PREROUTING ACCEPT [4302529:894828902]
:INPUT ACCEPT [1987872:441967655]
:FORWARD ACCEPT [2298602:449720283]
:OUTPUT ACCEPT [2005554:576066283]
:POSTROUTING ACCEPT [4303466:1025728974]
-A PREROUTING -p udp -m udp --dport 500 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -p esp -j MARK --set-xmark 0x1/0xffffffff
COMMIT
# Completed on Fri Sep 22 13:51:50 2017
# Generated by iptables-save v1.6.0 on Fri Sep 22 13:51:50 2017
*nat
:PREROUTING ACCEPT [217:14100]
:INPUT ACCEPT [16:1032]
:OUTPUT ACCEPT [39:16288]
:POSTROUTING ACCEPT [15:14272]
-A POSTROUTING -d 172.17.0.0/16 -j RETURN # added as experiment, didn't help
-A POSTROUTING -d 172.17.0.0/16 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -d 192.167.1.240/32 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 172.31.32.0/20 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.60.30.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Sep 22 13:51:50 2017
# Generated by iptables-save v1.6.0 on Fri Sep 22 13:51:50 2017
*filter
:INPUT ACCEPT [1987847:441947159]
:FORWARD ACCEPT [186297:12183599]
:OUTPUT ACCEPT [2005563:576067619]
-A INPUT -m mark --mark 0x1 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.60.30.0/24 -d 172.31.32.0/20 -i tun0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m mark --mark 0x1 -j ACCEPT
-A OUTPUT -m mark --mark 0x1 -j ACCEPT
COMMIT
# Completed on Fri Sep 22 13:51:50 2017
-----
root at nyfw1:/etc# iptables-save
# Generated by iptables-save v1.6.0 on Fri Sep 22 13:54:08 2017
*raw
:PREROUTING ACCEPT [10688:4403139]
:OUTPUT ACCEPT [6801:1304065]
COMMIT
# Completed on Fri Sep 22 13:54:08 2017
# Generated by iptables-save v1.6.0 on Fri Sep 22 13:54:08 2017
*nat
:PREROUTING ACCEPT [2325:687964]
:INPUT ACCEPT [4:180]
:OUTPUT ACCEPT [259:22938]
:POSTROUTING ACCEPT [64:6534]
-A PREROUTING -d 38.105.201.108/32 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j DNAT --to-destination 172.17.19.53
-A PREROUTING -d 38.105.201.108/32 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j DNAT --to-destination 172.17.19.53
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 172.17.0.0/16 -d 72.18.0.0/16 -j RETURN
-A POSTROUTING -s 172.17.0.0/16 -d 54.69.126.245/32 -j RETURN
-A POSTROUTING -s 192.168.1.0/24 -d 172.18.0.0/16 -j RETURN
-A POSTROUTING -s 192.168.1.0/24 -d 54.69.126.245/32 -j RETURN
-A POSTROUTING -s 172.17.19.53/32 -o enp2s0f1 -p udp -m udp --sport 53 -m conntrack --ctstate NEW -j SNAT --to-source 38.105.201.108
-A POSTROUTING -s 172.17.19.53/32 -o enp2s0f1 -p tcp -m tcp --sport 53 -m conntrack --ctstate NEW -j SNAT --to-source 38.105.201.108
COMMIT
# Completed on Fri Sep 22 13:54:08 2017
# Generated by iptables-save v1.6.0 on Fri Sep 22 13:54:08 2017
*mangle
:PREROUTING ACCEPT [10686:4403035]
:INPUT ACCEPT [10684:4402915]
:FORWARD ACCEPT [2:120]
:OUTPUT ACCEPT [6806:1305493]
:POSTROUTING ACCEPT [6612:1289149]
-A PREROUTING -m conntrack --ctstate RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0x1fff --ctmask 0x1fff
-A PREROUTING -i enp2s0f1 -m conntrack --ctstate NEW -j MARK --set-xmark 0x1/0x3f
-A PREROUTING -i enp2s0f2 -m conntrack --ctstate NEW -j MARK --set-xmark 0x2/0x3f
-A PREROUTING -i bond0 -m conntrack --ctstate NEW -j MARK --set-xmark 0x12/0x3f
-A PREROUTING -i bond1 -m conntrack --ctstate NEW -j MARK --set-xmark 0x13/0x3f
-A INPUT -m conntrack --ctstate NEW -j CONNMARK --save-mark --nfmask 0x1fff --ctmask 0x1fff
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0x1fff --ctmask 0x1fff
-A POSTROUTING -o enp2s0f1 -m conntrack --ctstate NEW -j MARK --set-xmark 0x1/0x3f
-A POSTROUTING -o enp2s0f2 -m conntrack --ctstate NEW -j MARK --set-xmark 0x2/0x3f
-A POSTROUTING -o bond0 -m conntrack --ctstate NEW -j MARK --set-xmark 0x12/0x3f
-A POSTROUTING -o bond1 -m conntrack --ctstate NEW -j MARK --set-xmark 0x13/0x3f
-A POSTROUTING -m conntrack --ctstate NEW -j CONNMARK --save-mark --nfmask 0x1fff --ctmask 0x1fff
COMMIT
# Completed on Fri Sep 22 13:54:08 2017
# Generated by iptables-save v1.6.0 on Fri Sep 22 13:54:08 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:in_DMZ - [0:0]
:in_LAN - [0:0]
:in_cogent - [0:0]
:in_cogent2dmz - [0:0]
:in_cogent2lan - [0:0]
:in_dmz2cogent - [0:0]
:in_global - [0:0]
:in_lan2cogent - [0:0]
:out_DMZ - [0:0]
:out_LAN - [0:0]
:out_cogent - [0:0]
:out_cogent2dmz - [0:0]
:out_cogent2lan - [0:0]
:out_dmz2cogent - [0:0]
:out_global - [0:0]
:out_lan2cogent - [0:0]
-A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i enp2s0f1 -j in_cogent
-A INPUT -i enp2s0f2 -j in_global
-A INPUT -i bond0 -j in_LAN
-A INPUT -i vlan19 -j in_DMZ
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
-A INPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID INPUT:"
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IN-unknown:"
-A INPUT -j DROP
-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
-A FORWARD -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID FORWARD:"
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i enp2s0f1 -o vlan19 -j in_cogent2dmz
-A FORWARD -i vlan19 -o enp2s0f1 -j out_cogent2dmz
-A FORWARD -i vlan19 -o enp2s0f1 -j in_dmz2cogent
-A FORWARD -i enp2s0f1 -o vlan19 -j out_dmz2cogent
-A FORWARD -i enp2s0f1 -o bond0 -j in_cogent2lan
-A FORWARD -i bond0 -o enp2s0f1 -j out_cogent2lan
-A FORWARD -i bond0 -o enp2s0f1 -j in_lan2cogent
-A FORWARD -i enp2s0f1 -o bond0 -j out_lan2cogent
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A FORWARD -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
-A FORWARD -m limit --limit 1/sec -j LOG --log-prefix "PASS-unknown:"
-A FORWARD -j DROP
-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o enp2s0f1 -j out_cogent
-A OUTPUT -o enp2s0f2 -j out_global
-A OUTPUT -o bond0 -j out_LAN
-A OUTPUT -o vlan19 -j out_DMZ
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A OUTPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A OUTPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A OUTPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
-A OUTPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUTPUT:"
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
-A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "OUT-unknown:"
-A OUTPUT -j DROP
-A in_DMZ -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A in_DMZ -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A in_DMZ -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
-A in_DMZ -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
-A in_DMZ -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
-A in_DMZ -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
-A in_DMZ -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
-A in_DMZ -p udp -m udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A in_DMZ -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A in_DMZ -p icmp -m conntrack --ctstate NEW,ESTABLISHED -m icmp --icmp-type 8 -j ACCEPT
-A in_DMZ -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A in_DMZ -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A in_DMZ -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A in_DMZ -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
-A in_DMZ -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
-A in_DMZ -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_DMZ:"
-A in_DMZ -m conntrack --ctstate INVALID -j DROP
-A in_DMZ -m limit --limit 1/sec -j LOG --log-prefix "IN-DMZ:"
-A in_DMZ -j DROP
-A in_LAN -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A in_LAN -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A in_LAN -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
-A in_LAN -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
-A in_LAN -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
-A in_LAN -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
-A in_LAN -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
-A in_LAN -s 172.17.16.0/24 -p tcp -m tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A in_LAN -s 207.136.236.70/32 -p tcp -m tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A in_LAN -s 192.168.1.0/24 -p tcp -m tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A in_LAN -p tcp -m tcp --sport 1024:65535 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A in_LAN -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A in_LAN -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A in_LAN -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A in_LAN -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
-A in_LAN -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
-A in_LAN -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_LAN:"
-A in_LAN -m conntrack --ctstate INVALID -j DROP
-A in_LAN -m limit --limit 1/sec -j LOG --log-prefix "IN-LAN:"
-A in_LAN -j DROP
-A in_cogent -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A in_cogent -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A in_cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
-A in_cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
-A in_cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
-A in_cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
-A in_cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
-A in_cogent -s 207.136.236.70/32 -p tcp -m tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A in_cogent -d 38.105.201.108/32 -p udp -m udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A in_cogent -d 38.105.201.108/32 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A in_cogent -s 54.69.126.245/32 -p udp -m udp --dport 4500 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A in_cogent -s 54.69.126.245/32 -p icmp -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A in_cogent -p icmp -m conntrack --ctstate NEW,ESTABLISHED -m icmp --icmp-type 8 -j ACCEPT
-A in_cogent -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A in_cogent -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A in_cogent -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A in_cogent -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
-A in_cogent -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
-A in_cogent -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_cogent:"
-A in_cogent -m conntrack --ctstate INVALID -j DROP
-A in_cogent -m limit --limit 1/sec -j LOG --log-prefix "IN-cogent:"
-A in_cogent -j DROP
-A in_cogent2dmz -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A in_cogent2dmz -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
-A in_cogent2dmz -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A in_cogent2dmz -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
-A in_cogent2dmz -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
-A in_cogent2dmz -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
-A in_cogent2dmz -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
-A in_cogent2dmz -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
-A in_cogent2lan -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A in_cogent2lan -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
-A in_cogent2lan -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A in_cogent2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
-A in_cogent2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
-A in_cogent2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
-A in_cogent2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
-A in_cogent2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
-A in_dmz2cogent -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A in_dmz2cogent -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
-A in_dmz2cogent -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A in_dmz2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
-A in_dmz2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
-A in_dmz2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
-A in_dmz2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
-A in_dmz2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
-A in_global -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A in_global -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A in_global -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
-A in_global -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
-A in_global -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
-A in_global -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
-A in_global -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
-A in_global -s 207.136.236.70/32 -p tcp -m tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A in_global -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A in_global -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A in_global -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A in_global -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
-A in_global -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
-A in_global -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_global:"
-A in_global -m conntrack --ctstate INVALID -j DROP
-A in_global -m limit --limit 1/sec -j LOG --log-prefix "IN-global:"
-A in_global -j DROP
-A in_lan2cogent -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A in_lan2cogent -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
-A in_lan2cogent -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A in_lan2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
-A in_lan2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
-A in_lan2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
-A in_lan2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
-A in_lan2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
-A out_DMZ -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A out_DMZ -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
-A out_DMZ -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A out_DMZ -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
-A out_DMZ -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
-A out_DMZ -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
-A out_DMZ -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
-A out_DMZ -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
-A out_DMZ -p udp -m udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A out_DMZ -p tcp -m tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A out_DMZ -p icmp -m conntrack --ctstate ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A out_DMZ -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A out_DMZ -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A out_DMZ -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A out_DMZ -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
-A out_DMZ -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
-A out_DMZ -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_DMZ:"
-A out_DMZ -m conntrack --ctstate INVALID -j DROP
-A out_DMZ -m limit --limit 1/sec -j LOG --log-prefix "OUT-DMZ:"
-A out_DMZ -j DROP
-A out_LAN -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A out_LAN -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
-A out_LAN -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A out_LAN -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
-A out_LAN -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
-A out_LAN -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
-A out_LAN -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
-A out_LAN -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
-A out_LAN -d 172.17.16.0/24 -p tcp -m tcp --sport 22 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A out_LAN -d 207.136.236.70/32 -p tcp -m tcp --sport 22 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A out_LAN -d 192.168.1.0/24 -p tcp -m tcp --sport 22 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A out_LAN -p tcp -m tcp --sport 80 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A out_LAN -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A out_LAN -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A out_LAN -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A out_LAN -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
-A out_LAN -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
-A out_LAN -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_LAN:"
-A out_LAN -m conntrack --ctstate INVALID -j DROP
-A out_LAN -m limit --limit 1/sec -j LOG --log-prefix "OUT-LAN:"
-A out_LAN -j DROP
-A out_cogent -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A out_cogent -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
-A out_cogent -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A out_cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
-A out_cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
-A out_cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
-A out_cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
-A out_cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
-A out_cogent -d 207.136.236.70/32 -p tcp -m tcp --sport 22 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A out_cogent -s 38.105.201.108/32 -p udp -m udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A out_cogent -s 38.105.201.108/32 -p tcp -m tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A out_cogent -d 54.69.126.245/32 -p udp -m udp --sport 4500 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A out_cogent -d 54.69.126.245/32 -p icmp -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A out_cogent -p icmp -m conntrack --ctstate ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A out_cogent -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A out_cogent -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A out_cogent -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A out_cogent -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
-A out_cogent -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
-A out_cogent -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_cogent:"
-A out_cogent -m conntrack --ctstate INVALID -j DROP
-A out_cogent -m limit --limit 1/sec -j LOG --log-prefix "OUT-cogent:"
-A out_cogent -j DROP
-A out_cogent2dmz -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A out_cogent2dmz -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
-A out_cogent2dmz -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A out_cogent2dmz -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
-A out_cogent2dmz -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
-A out_cogent2dmz -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
-A out_cogent2dmz -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
-A out_cogent2dmz -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
-A out_cogent2lan -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A out_cogent2lan -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
-A out_cogent2lan -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A out_cogent2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
-A out_cogent2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
-A out_cogent2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
-A out_cogent2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
-A out_cogent2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
-A out_dmz2cogent -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A out_dmz2cogent -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
-A out_dmz2cogent -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A out_dmz2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
-A out_dmz2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
-A out_dmz2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
-A out_dmz2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
-A out_dmz2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
-A out_global -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A out_global -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
-A out_global -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A out_global -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
-A out_global -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
-A out_global -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
-A out_global -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
-A out_global -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
-A out_global -d 207.136.236.70/32 -p tcp -m tcp --sport 22 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A out_global -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A out_global -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A out_global -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
-A out_global -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
-A out_global -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
-A out_global -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_global:"
-A out_global -m conntrack --ctstate INVALID -j DROP
-A out_global -m limit --limit 1/sec -j LOG --log-prefix "OUT-global:"
-A out_global -j DROP
-A out_lan2cogent -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A out_lan2cogent -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
-A out_lan2cogent -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A out_lan2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
-A out_lan2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
-A out_lan2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
-A out_lan2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
-A out_lan2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
COMMIT
# Completed on Fri Sep 22 13:54:08 2017
-----
Sep 22 13:56:53 ip-172-18-30-93 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-77-generic, x86_64)
Sep 22 13:56:53 ip-172-18-30-93 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sep 22 13:56:53 ip-172-18-30-93 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sep 22 13:56:53 ip-172-18-30-93 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sep 22 13:56:53 ip-172-18-30-93 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sep 22 13:56:53 ip-172-18-30-93 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sep 22 13:56:53 ip-172-18-30-93 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sep 22 13:56:53 ip-172-18-30-93 charon: 00[CFG] line 6: missing token
Sep 22 13:56:53 ip-172-18-30-93 charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Sep 22 13:56:53 ip-172-18-30-93 charon: 00[CFG] loaded 0 RADIUS server configurations
Sep 22 13:56:53 ip-172-18-30-93 charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
Sep 22 13:56:53 ip-172-18-30-93 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Sep 22 13:56:53 ip-172-18-30-93 charon: 00[JOB] spawning 16 worker threads
Sep 22 13:56:53 ip-172-18-30-93 charon: 11[CFG] received stroke: add connection 'site-1-static-ip'
Sep 22 13:56:53 ip-172-18-30-93 charon: 11[CFG] added configuration 'site-1-static-ip'
Sep 22 13:56:53 ip-172-18-30-93 charon: 13[CFG] received stroke: route 'site-1-static-ip'
Sep 22 13:57:15 ip-172-18-30-93 charon: 04[KNL] creating acquire job for policy 172.18.30.93/32[udp/37849] === 172.17.16.40/32[udp/1025] with reqid {1}
Sep 22 13:57:15 ip-172-18-30-93 charon: 04[IKE] initiating IKE_SA site-1-static-ip[1] to 38.105.201.108
Sep 22 13:57:15 ip-172-18-30-93 charon: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Sep 22 13:57:15 ip-172-18-30-93 charon: 04[NET] sending packet: from 172.18.30.93[500] to 38.105.201.108[500] (968 bytes)
Sep 22 13:57:19 ip-172-18-30-93 charon: 02[IKE] retransmit 1 of request with message ID 0
Sep 22 13:57:19 ip-172-18-30-93 charon: 02[NET] sending packet: from 172.18.30.93[500] to 38.105.201.108[500] (968 bytes)
Sep 22 13:57:27 ip-172-18-30-93 charon: 01[IKE] retransmit 2 of request with message ID 0
Sep 22 13:57:27 ip-172-18-30-93 charon: 01[NET] sending packet: from 172.18.30.93[500] to 38.105.201.108[500] (968 bytes)
-----
Sep 22 13:59:30 nyfw1 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-93-generic, x86_64)
Sep 22 13:59:30 nyfw1 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sep 22 13:59:30 nyfw1 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sep 22 13:59:30 nyfw1 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sep 22 13:59:30 nyfw1 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sep 22 13:59:30 nyfw1 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sep 22 13:59:30 nyfw1 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sep 22 13:59:30 nyfw1 charon: 00[CFG] line 6: missing token
Sep 22 13:59:30 nyfw1 charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Sep 22 13:59:30 nyfw1 charon: 00[CFG] loaded 0 RADIUS server configurations
Sep 22 13:59:30 nyfw1 charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
Sep 22 13:59:30 nyfw1 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Sep 22 13:59:30 nyfw1 charon: 00[JOB] spawning 16 worker threads
Sep 22 13:59:30 nyfw1 charon: 12[CFG] received stroke: add connection 'site-1-static-ip'
Sep 22 13:59:30 nyfw1 charon: 12[CFG] added configuration 'site-1-static-ip'
Sep 22 13:59:30 nyfw1 charon: 04[CFG] received stroke: route 'site-1-static-ip'
-----
root at ip-172-18-30-93:/etc# ip ro sho tab all
172.17.0.0/16 via 172.18.30.1 dev eth0 table 220 proto static src 172.18.30.93
192.168.1.0/24 via 172.18.30.1 dev eth0 table 220 proto static src 172.18.30.93
default via 172.18.30.1 dev eth0
10.60.30.0/24 via 10.60.30.2 dev tun0
10.60.30.2 dev tun0 proto kernel scope link src 10.60.30.1
172.18.14.0/24 dev eth1 proto kernel scope link src 172.18.14.157
172.18.30.0/24 dev eth0 proto kernel scope link src 172.18.30.93
local 10.60.30.1 dev tun0 table local proto kernel scope host src 10.60.30.1
local 54.69.126.245 dev lo table local proto kernel scope host src 54.69.126.245
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.18.14.0 dev eth1 table local proto kernel scope link src 172.18.14.157
local 172.18.14.157 dev eth1 table local proto kernel scope host src 172.18.14.157
broadcast 172.18.14.255 dev eth1 table local proto kernel scope link src 172.18.14.157
broadcast 172.18.30.0 dev eth0 table local proto kernel scope link src 172.18.30.93
local 172.18.30.93 dev eth0 table local proto kernel scope host src 172.18.30.93
broadcast 172.18.30.255 dev eth0 table local proto kernel scope link src 172.18.30.93
unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 mtu 9001 pref medium
unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium
local ::1 dev lo table local proto none metric 0 pref medium
local fe80::40e:91ff:fe1c:8ff0 dev lo table local proto none metric 0 pref medium
local fe80::40f:82ff:feac:c99e dev lo table local proto none metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev eth1 table local metric 256 mtu 9001 pref medium
unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium
-----
root at nyfw1:/etc# ip ro sho tab all
default via 207.239.116.97 dev enp2s0f2 table Global
38.105.201.96/27 dev enp2s0f1 table Global proto kernel scope link src 38.105.201.102
172.17.10.0/24 dev bond0 table Global proto kernel scope link src 172.17.10.3
172.17.16.0/24 via 172.17.10.254 dev bond0 table Global
172.17.19.0/24 dev vlan19 table Global proto kernel scope link src 172.17.19.4
172.18.0.0/16 dev enp2s0f1 table Global scope link src 38.105.201.108
192.168.1.0/24 via 172.17.10.254 dev bond0 table Global
207.239.116.96/27 dev enp2s0f2 table Global proto kernel scope link src 207.239.116.102
default via 38.105.201.97 dev enp2s0f1 table Cogent
38.105.201.96/27 dev enp2s0f1 table Cogent proto kernel scope link src 38.105.201.102
54.69.126.245 via 38.105.201.97 dev enp2s0f1 table Cogent src 38.105.201.108
172.17.10.0/24 dev bond0 table Cogent proto kernel scope link src 172.17.10.3
172.17.16.0/24 via 172.17.10.254 dev bond0 table Cogent
172.17.19.0/24 dev vlan19 table Cogent proto kernel scope link src 172.17.19.4
172.18.0.0/16 dev enp2s0f1 table Cogent scope link src 38.105.201.108
192.168.1.0/24 via 172.17.10.254 dev bond0 table Cogent
207.239.116.96/27 dev enp2s0f2 table Cogent proto kernel scope link src 207.239.116.102
default via 172.17.10.254 dev bond0 table NYlan
38.105.201.96/27 dev enp2s0f1 table NYlan proto kernel scope link src 38.105.201.102
54.69.126.245 via 38.105.201.97 dev enp2s0f1 table NYlan src 38.105.201.108
172.17.10.0/24 dev bond0 table NYlan proto kernel scope link src 172.17.10.3
172.17.16.0/24 via 172.17.10.254 dev bond0 table NYlan
172.17.19.0/24 dev vlan19 table NYlan proto kernel scope link src 172.17.19.4
172.18.0.0/16 dev enp2s0f1 table NYlan scope link src 38.105.201.108
192.168.1.0/24 via 172.17.10.254 dev bond0 table NYlan
207.239.116.96/27 dev enp2s0f2 table NYlan proto kernel scope link src 207.239.116.102
172.18.0.0/16 via 38.105.201.97 dev enp2s0f1 table 220 proto static src 172.17.10.3
default via 38.105.201.97 dev enp2s0f1
38.105.201.96/27 dev enp2s0f1 proto kernel scope link src 38.105.201.102
54.69.126.245 via 38.105.201.97 dev enp2s0f1 src 38.105.201.108
172.17.10.0/24 dev bond0 proto kernel scope link src 172.17.10.3
172.17.16.0/24 via 172.17.10.254 dev bond0
172.17.19.0/24 dev vlan19 proto kernel scope link src 172.17.19.4
172.18.0.0/16 dev enp2s0f1 scope link src 38.105.201.108
192.168.1.0/24 via 172.17.10.254 dev bond0
192.168.100.0/24 dev bond1 proto kernel scope link src 192.168.100.3 linkdown
207.239.116.96/27 dev enp2s0f2 proto kernel scope link src 207.239.116.102
broadcast 38.105.201.96 dev enp2s0f1 table local proto kernel scope link src 38.105.201.102
local 38.105.201.102 dev enp2s0f1 table local proto kernel scope host src 38.105.201.102
local 38.105.201.108 dev enp2s0f1 table local proto kernel scope host src 38.105.201.108
broadcast 38.105.201.127 dev enp2s0f1 table local proto kernel scope link src 38.105.201.102
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.17.10.0 dev bond0 table local proto kernel scope link src 172.17.10.3
local 172.17.10.3 dev bond0 table local proto kernel scope host src 172.17.10.3
broadcast 172.17.10.255 dev bond0 table local proto kernel scope link src 172.17.10.3
broadcast 172.17.19.0 dev vlan19 table local proto kernel scope link src 172.17.19.4
local 172.17.19.4 dev vlan19 table local proto kernel scope host src 172.17.19.4
broadcast 172.17.19.255 dev vlan19 table local proto kernel scope link src 172.17.19.4
broadcast 192.168.100.0 dev bond1 table local proto kernel scope link src 192.168.100.3 linkdown
local 192.168.100.3 dev bond1 table local proto kernel scope host src 192.168.100.3
broadcast 192.168.100.255 dev bond1 table local proto kernel scope link src 192.168.100.3 linkdown
broadcast 207.239.116.96 dev enp2s0f2 table local proto kernel scope link src 207.239.116.102
local 207.239.116.102 dev enp2s0f2 table local proto kernel scope host src 207.239.116.102
broadcast 207.239.116.127 dev enp2s0f2 table local proto kernel scope link src 207.239.116.102
unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium
fe80::/64 dev enp2s0f2 proto kernel metric 256 pref medium
fe80::/64 dev eno2 proto kernel metric 256 pref medium
fe80::/64 dev bond0 proto kernel metric 256 pref medium
fe80::/64 dev enp2s0f1 proto kernel metric 256 pref medium
fe80::/64 dev enp2s0f3 proto kernel metric 256 pref medium
fe80::/64 dev vlan19 proto kernel metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium
local ::1 dev lo table local proto none metric 0 pref medium
local fe80::3617:ebff:fef1:a537 dev lo table local proto none metric 0 pref medium
local fe80::3617:ebff:fef1:a537 dev lo table local proto none metric 0 pref medium
local fe80::3617:ebff:fef1:a538 dev lo table local proto none metric 0 pref medium
local fe80::a236:9fff:fea6:f851 dev lo table local proto none metric 0 pref medium
local fe80::a236:9fff:fea6:f852 dev lo table local proto none metric 0 pref medium
local fe80::a236:9fff:fea6:f853 dev lo table local proto none metric 0 pref medium
ff00::/8 dev enp2s0f2 table local metric 256 pref medium
ff00::/8 dev eno2 table local metric 256 pref medium
ff00::/8 dev bond0 table local metric 256 pref medium
ff00::/8 dev enp2s0f1 table local metric 256 pref medium
ff00::/8 dev enp2s0f3 table local metric 256 pref medium
ff00::/8 dev vlan19 table local metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium
----
root at ip-172-18-30-93:/etc# ip ru ls
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
-----
root at nyfw1:/etc# ip ru ls
0: from all lookup local
220: from all lookup 220
1100: from all fwmark 0x1/0x3f lookup Cogent
1200: from all fwmark 0x2/0x3f lookup Global
1300: from all fwmark 0x12/0x3f lookup NYlan
1400: from 38.105.201.102 lookup Cogent
1401: from 38.105.201.108 lookup Cogent
1500: from 207.239.116.102 lookup Global
1600: from 172.17.10.3 lookup NYlan
32766: from all lookup main
32767: from all lookup default
----
root at ip-172-18-30-93:/etc/strongswan.d/charon# ip addr ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 54.69.126.245/32 scope global lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 06:0f:82:ac:c9:9e brd ff:ff:ff:ff:ff:ff
inet 172.18.30.93/24 brd 172.18.30.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::40f:82ff:feac:c99e/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 06:0e:91:1c:8f:f0 brd ff:ff:ff:ff:ff:ff
inet 172.18.14.157/24 brd 172.18.14.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::40e:91ff:fe1c:8ff0/64 scope link
valid_lft forever preferred_lft forever
16: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.60.30.1 peer 10.60.30.2/32 scope global tun0
valid_lft forever preferred_lft forever
17: eth2: <BROADCAST,MULTICAST> mtu 9001 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 06:e4:f7:89:42:5b brd ff:ff:ff:ff:ff:ff
18: ip_vti0 at NONE: <NOARP> mtu 1332 qdisc noop state DOWN group default qlen 1
link/ipip 0.0.0.0 brd 0.0.0.0
-----
root at nyfw1:/etc# ip addr ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000
link/ether 34:17:eb:f1:a5:37 brd ff:ff:ff:ff:ff:ff
3: enp2s0f0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000
link/ether 34:17:eb:f1:a5:37 brd ff:ff:ff:ff:ff:ff
4: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 34:17:eb:f1:a5:38 brd ff:ff:ff:ff:ff:ff
inet6 fe80::3617:ebff:fef1:a538/64 scope link
valid_lft forever preferred_lft forever
5: enp2s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether a0:36:9f:a6:f8:51 brd ff:ff:ff:ff:ff:ff
inet 38.105.201.102/27 brd 38.105.201.127 scope global enp2s0f1
valid_lft forever preferred_lft forever
inet 38.105.201.108/32 scope global enp2s0f1
valid_lft forever preferred_lft forever
inet6 fe80::a236:9fff:fea6:f851/64 scope link
valid_lft forever preferred_lft forever
6: enp2s0f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether a0:36:9f:a6:f8:52 brd ff:ff:ff:ff:ff:ff
inet 207.239.116.102/27 brd 207.239.116.127 scope global enp2s0f2
valid_lft forever preferred_lft forever
inet6 fe80::a236:9fff:fea6:f852/64 scope link
valid_lft forever preferred_lft forever
7: enp2s0f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether a0:36:9f:a6:f8:53 brd ff:ff:ff:ff:ff:ff
inet6 fe80::a236:9fff:fea6:f853/64 scope link
valid_lft forever preferred_lft forever
8: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 34:17:eb:f1:a5:37 brd ff:ff:ff:ff:ff:ff
inet 172.17.10.3/24 brd 172.17.10.255 scope global bond0
valid_lft forever preferred_lft forever
inet6 fe80::3617:ebff:fef1:a537/64 scope link
valid_lft forever preferred_lft forever
9: bond1: <NO-CARRIER,BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 72:db:73:34:3b:51 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.3/24 brd 192.168.100.255 scope global bond1
valid_lft forever preferred_lft forever
10: ip_vti0 at NONE: <NOARP> mtu 1332 qdisc noop state DOWN group default qlen 1
link/ipip 0.0.0.0 brd 0.0.0.0
13: vlan19 at bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 34:17:eb:f1:a5:37 brd ff:ff:ff:ff:ff:ff
inet 172.17.19.4/24 brd 172.17.19.255 scope global vlan19
valid_lft forever preferred_lft forever
inet6 fe80::3617:ebff:fef1:a537/64 scope link
valid_lft forever preferred_lft forever
-----
Current problem:
Can't fully establish tunnel.
Thanks,
Whit
More information about the Users
mailing list