[strongSwan] Trying to work out why connection not being established from AWS
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Sep 22 20:29:35 CEST 2017
That now looks substantially better.
Assuming 54.59.126.254/32 is the elastic IP, you don't need to have it bound to the host. It is fine to send packets
from the private IP, because the VPC NATs them to your assigned elastic IP.
The content of the filelog{} section is the custom stuff that we need to make charon create
that log file and write to it with the specified settings. That's the whole point of it.
It does not exist by default, that's why you have to insert that. If you use modular loading and have the
files from /etc/strongswan.d/ included in the strongswan.conf, then you just put that into the charon-logging.conf file.
You obviously need to nest the sections correctly for it to work. The default config does not contain anything useful, except
the syslog logger, so you can actually just replace the file.
In your firewall configuration I can only find a rule for UDP port 4500, not for 500, to which charon tries to initiate the connection to.
If a rule for UDP port 500 is missing, please add it and retry.
> > -A in_cogent -s 54.69.126.245/32 -p udp -m udp --dport 4500 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Please check if the packets are sent from the host using tcpdump and then check if they arrive on the other side.
If they don't arrive, you can use tracepath to send big packets from and to port 500 and see where they are dropped,
assuming it is not caused by some clever DPI FW or is generally technically refined and deliberate.
Kind regards
Noel
On 22.09.2017 20:13, Whit Blauvelt wrote:
> On Fri, Sep 22, 2017 at 04:49:20PM +0200, Noel Kuntze wrote:
>>> Did, and they don't. Perhaps I have to set a log level higher somewhere?
>>
>> The HelpRequests[1] article contains a good logger configuration you can use.
>
> I see that stanza, and have read the linked wiki page, and it's unclear to
> me in what file that stanza goes. On a stock Ubuntu deb install,
> /etc/strongswan.d/charon where I presume this goes, has 71 configuration
> files in it, none of which currently contains "charon_debug.log" in it. Do I
> just make up a file name for which the stanza should be the whole content?
>
>>> First I tried setting that to the LAN IP which connects to the elastic IP,
>>> but that didn't work either; failed in just the same way. Also, the elastic
>>> IP set does exist on the VM, as it's been assigned as an alias to lo (a
>>> trick the libreswan people recommend).
>>
>> Linux aliases are a deprecated concept. Bind the IP to any local
>> interface. Preferably one that can not go down. You can just add it.
>> Anyway, charon needs to listen on the IP to be able to send packets from
>> it.
>
> I use the word "alias" incorrectly then. It is bound:
>
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> valid_lft forever preferred_lft forever
> inet 54.69.126.245/32 scope global lo
> valid_lft forever preferred_lft forever
>
>> Good configurations are in this[2] article.
>
> Thanks. Found that this morning. That's what my current experience is now based on.
>
> ipsec.conf:
>
> conn sts-base
> fragmentation=yes
> dpdaction=restart
> ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
> esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072#
> keyingtries=%forever
>
> conn site-1-static-ip
> also=sts-base
> keyexchange=ikev2
> leftsubnet=172.18.0.0/16
> rightsubnet=192.168.1.0/24,172.17.0.0/16
> right=38.105.201.108
> auto=route
> rightauth=psk
> leftauth=psk
>
> -----
>
> ipsec.conf:
>
> conn sts-base
> fragmentation=yes
> dpdaction=restart
> ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
> esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072#
> keyingtries=%forever
>
> conn site-1-static-ip
> also=sts-base
> keyexchange=ikev2
> leftsubnet=192.168.1.0/24,172.17.0.0/16
> rightsubnet=172.18.0.0/16
> right=54.69.126.245
> auto=route
> rightauth=psk
> leftauth=psk
>
> -----
>
> root at ip-172-18-30-93:/etc# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-77-generic, x86_64):
> uptime: 41 minutes, since Sep 22 13:08:33 2017
> malloc: sbrk 1781760, mmap 0, used 578240, free 1203520
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
> Listening IP addresses:
> 172.18.30.93
> 172.18.14.157
> 10.60.30.1
> Connections:
> site-1-static-ip: %any...38.105.201.108 IKEv2, dpddelay=30s
> site-1-static-ip: local: uses pre-shared key authentication
> site-1-static-ip: remote: [38.105.201.108] uses pre-shared key authentication
> site-1-static-ip: child: 172.18.0.0/16 === 192.168.1.0/24 172.17.0.0/16 TUNNEL, dpdaction=restart
> Routed Connections:
> site-1-static-ip{1}: ROUTED, TUNNEL, reqid 1
> site-1-static-ip{1}: 172.18.0.0/16 === 172.17.0.0/16 192.168.1.0/24
> Security Associations (0 up, 1 connecting):
> site-1-static-ip[1]: CONNECTING, 172.18.30.93[%any]...38.105.201.108[%any]
> site-1-static-ip[1]: IKEv2 SPIs: deb88af4b2622933_i* 0000000000000000_r
> site-1-static-ip[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
>
> -----
>
> root at nyfw1:/etc# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-93-generic, x86_64):
> uptime: 42 minutes, since Sep 22 13:08:36 2017
> malloc: sbrk 2727936, mmap 0, used 581040, free 2146896
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
> Listening IP addresses:
> 38.105.201.102
> 38.105.201.108
> 207.239.116.102
> 172.17.10.3
> 192.168.100.3
> 172.17.19.4
> Connections:
> site-1-static-ip: %any...54.69.126.245 IKEv2, dpddelay=30s
> site-1-static-ip: local: uses pre-shared key authentication
> site-1-static-ip: remote: [54.69.126.245] uses pre-shared key authentication
> site-1-static-ip: child: 192.168.1.0/24 172.17.0.0/16 === 172.18.0.0/16 TUNNEL, dpdaction=restart
> Routed Connections:
> site-1-static-ip{1}: ROUTED, TUNNEL, reqid 1
> site-1-static-ip{1}: 172.17.0.0/16 192.168.1.0/24 === 172.18.0.0/16
> Security Associations (0 up, 0 connecting):
> none
>
> -----
>
> # Generated by iptables-save v1.6.0 on Fri Sep 22 13:51:50 2017
> *mangle
> :PREROUTING ACCEPT [4302529:894828902]
> :INPUT ACCEPT [1987872:441967655]
> :FORWARD ACCEPT [2298602:449720283]
> :OUTPUT ACCEPT [2005554:576066283]
> :POSTROUTING ACCEPT [4303466:1025728974]
> -A PREROUTING -p udp -m udp --dport 500 -j MARK --set-xmark 0x1/0xffffffff
> -A PREROUTING -p esp -j MARK --set-xmark 0x1/0xffffffff
> COMMIT
> # Completed on Fri Sep 22 13:51:50 2017
> # Generated by iptables-save v1.6.0 on Fri Sep 22 13:51:50 2017
> *nat
> :PREROUTING ACCEPT [217:14100]
> :INPUT ACCEPT [16:1032]
> :OUTPUT ACCEPT [39:16288]
> :POSTROUTING ACCEPT [15:14272]
> -A POSTROUTING -d 172.17.0.0/16 -j RETURN # added as experiment, didn't help
> -A POSTROUTING -d 172.17.0.0/16 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
> -A POSTROUTING -d 192.167.1.240/32 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
> -A POSTROUTING -s 172.31.32.0/20 -o eth0 -j MASQUERADE
> -A POSTROUTING -s 10.60.30.0/24 -o eth0 -j MASQUERADE
> COMMIT
> # Completed on Fri Sep 22 13:51:50 2017
> # Generated by iptables-save v1.6.0 on Fri Sep 22 13:51:50 2017
> *filter
> :INPUT ACCEPT [1987847:441947159]
> :FORWARD ACCEPT [186297:12183599]
> :OUTPUT ACCEPT [2005563:576067619]
> -A INPUT -m mark --mark 0x1 -j ACCEPT
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -s 10.60.30.0/24 -d 172.31.32.0/20 -i tun0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
> -A FORWARD -m mark --mark 0x1 -j ACCEPT
> -A OUTPUT -m mark --mark 0x1 -j ACCEPT
> COMMIT
> # Completed on Fri Sep 22 13:51:50 2017
>
> -----
>
> root at nyfw1:/etc# iptables-save
> # Generated by iptables-save v1.6.0 on Fri Sep 22 13:54:08 2017
> *raw
> :PREROUTING ACCEPT [10688:4403139]
> :OUTPUT ACCEPT [6801:1304065]
> COMMIT
> # Completed on Fri Sep 22 13:54:08 2017
> # Generated by iptables-save v1.6.0 on Fri Sep 22 13:54:08 2017
> *nat
> :PREROUTING ACCEPT [2325:687964]
> :INPUT ACCEPT [4:180]
> :OUTPUT ACCEPT [259:22938]
> :POSTROUTING ACCEPT [64:6534]
> -A PREROUTING -d 38.105.201.108/32 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j DNAT --to-destination 172.17.19.53
> -A PREROUTING -d 38.105.201.108/32 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j DNAT --to-destination 172.17.19.53
> -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
> -A POSTROUTING -s 172.17.0.0/16 -d 72.18.0.0/16 -j RETURN
> -A POSTROUTING -s 172.17.0.0/16 -d 54.69.126.245/32 -j RETURN
> -A POSTROUTING -s 192.168.1.0/24 -d 172.18.0.0/16 -j RETURN
> -A POSTROUTING -s 192.168.1.0/24 -d 54.69.126.245/32 -j RETURN
> -A POSTROUTING -s 172.17.19.53/32 -o enp2s0f1 -p udp -m udp --sport 53 -m conntrack --ctstate NEW -j SNAT --to-source 38.105.201.108
> -A POSTROUTING -s 172.17.19.53/32 -o enp2s0f1 -p tcp -m tcp --sport 53 -m conntrack --ctstate NEW -j SNAT --to-source 38.105.201.108
> COMMIT
> # Completed on Fri Sep 22 13:54:08 2017
> # Generated by iptables-save v1.6.0 on Fri Sep 22 13:54:08 2017
> *mangle
> :PREROUTING ACCEPT [10686:4403035]
> :INPUT ACCEPT [10684:4402915]
> :FORWARD ACCEPT [2:120]
> :OUTPUT ACCEPT [6806:1305493]
> :POSTROUTING ACCEPT [6612:1289149]
> -A PREROUTING -m conntrack --ctstate RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0x1fff --ctmask 0x1fff
> -A PREROUTING -i enp2s0f1 -m conntrack --ctstate NEW -j MARK --set-xmark 0x1/0x3f
> -A PREROUTING -i enp2s0f2 -m conntrack --ctstate NEW -j MARK --set-xmark 0x2/0x3f
> -A PREROUTING -i bond0 -m conntrack --ctstate NEW -j MARK --set-xmark 0x12/0x3f
> -A PREROUTING -i bond1 -m conntrack --ctstate NEW -j MARK --set-xmark 0x13/0x3f
> -A INPUT -m conntrack --ctstate NEW -j CONNMARK --save-mark --nfmask 0x1fff --ctmask 0x1fff
> -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0x1fff --ctmask 0x1fff
> -A POSTROUTING -o enp2s0f1 -m conntrack --ctstate NEW -j MARK --set-xmark 0x1/0x3f
> -A POSTROUTING -o enp2s0f2 -m conntrack --ctstate NEW -j MARK --set-xmark 0x2/0x3f
> -A POSTROUTING -o bond0 -m conntrack --ctstate NEW -j MARK --set-xmark 0x12/0x3f
> -A POSTROUTING -o bond1 -m conntrack --ctstate NEW -j MARK --set-xmark 0x13/0x3f
> -A POSTROUTING -m conntrack --ctstate NEW -j CONNMARK --save-mark --nfmask 0x1fff --ctmask 0x1fff
> COMMIT
> # Completed on Fri Sep 22 13:54:08 2017
> # Generated by iptables-save v1.6.0 on Fri Sep 22 13:54:08 2017
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> :in_DMZ - [0:0]
> :in_LAN - [0:0]
> :in_cogent - [0:0]
> :in_cogent2dmz - [0:0]
> :in_cogent2lan - [0:0]
> :in_dmz2cogent - [0:0]
> :in_global - [0:0]
> :in_lan2cogent - [0:0]
> :out_DMZ - [0:0]
> :out_LAN - [0:0]
> :out_cogent - [0:0]
> :out_cogent2dmz - [0:0]
> :out_cogent2lan - [0:0]
> :out_dmz2cogent - [0:0]
> :out_global - [0:0]
> :out_lan2cogent - [0:0]
> -A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i enp2s0f1 -j in_cogent
> -A INPUT -i enp2s0f2 -j in_global
> -A INPUT -i bond0 -j in_LAN
> -A INPUT -i vlan19 -j in_DMZ
> -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A INPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A INPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
> -A INPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
> -A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID INPUT:"
> -A INPUT -m conntrack --ctstate INVALID -j DROP
> -A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
> -A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IN-unknown:"
> -A INPUT -j DROP
> -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
> -A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
> -A FORWARD -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A FORWARD -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A FORWARD -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A FORWARD -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
> -A FORWARD -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
> -A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID FORWARD:"
> -A FORWARD -m conntrack --ctstate INVALID -j DROP
> -A FORWARD -i enp2s0f1 -o vlan19 -j in_cogent2dmz
> -A FORWARD -i vlan19 -o enp2s0f1 -j out_cogent2dmz
> -A FORWARD -i vlan19 -o enp2s0f1 -j in_dmz2cogent
> -A FORWARD -i enp2s0f1 -o vlan19 -j out_dmz2cogent
> -A FORWARD -i enp2s0f1 -o bond0 -j in_cogent2lan
> -A FORWARD -i bond0 -o enp2s0f1 -j out_cogent2lan
> -A FORWARD -i bond0 -o enp2s0f1 -j in_lan2cogent
> -A FORWARD -i enp2s0f1 -o bond0 -j out_lan2cogent
> -A FORWARD -p icmp -m conntrack --ctstate RELATED -j ACCEPT
> -A FORWARD -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
> -A FORWARD -m limit --limit 1/sec -j LOG --log-prefix "PASS-unknown:"
> -A FORWARD -j DROP
> -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -o enp2s0f1 -j out_cogent
> -A OUTPUT -o enp2s0f2 -j out_global
> -A OUTPUT -o bond0 -j out_LAN
> -A OUTPUT -o vlan19 -j out_DMZ
> -A OUTPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A OUTPUT -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A OUTPUT -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A OUTPUT -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
> -A OUTPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
> -A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID OUTPUT:"
> -A OUTPUT -m conntrack --ctstate INVALID -j DROP
> -A OUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
> -A OUTPUT -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
> -A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "OUT-unknown:"
> -A OUTPUT -j DROP
> -A in_DMZ -p icmp -m conntrack --ctstate RELATED -j ACCEPT
> -A in_DMZ -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A in_DMZ -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
> -A in_DMZ -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
> -A in_DMZ -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
> -A in_DMZ -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
> -A in_DMZ -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
> -A in_DMZ -p udp -m udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
> -A in_DMZ -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
> -A in_DMZ -p icmp -m conntrack --ctstate NEW,ESTABLISHED -m icmp --icmp-type 8 -j ACCEPT
> -A in_DMZ -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A in_DMZ -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A in_DMZ -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A in_DMZ -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
> -A in_DMZ -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
> -A in_DMZ -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_DMZ:"
> -A in_DMZ -m conntrack --ctstate INVALID -j DROP
> -A in_DMZ -m limit --limit 1/sec -j LOG --log-prefix "IN-DMZ:"
> -A in_DMZ -j DROP
> -A in_LAN -p icmp -m conntrack --ctstate RELATED -j ACCEPT
> -A in_LAN -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A in_LAN -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
> -A in_LAN -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
> -A in_LAN -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
> -A in_LAN -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
> -A in_LAN -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
> -A in_LAN -s 172.17.16.0/24 -p tcp -m tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
> -A in_LAN -s 207.136.236.70/32 -p tcp -m tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
> -A in_LAN -s 192.168.1.0/24 -p tcp -m tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
> -A in_LAN -p tcp -m tcp --sport 1024:65535 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
> -A in_LAN -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A in_LAN -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A in_LAN -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A in_LAN -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
> -A in_LAN -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
> -A in_LAN -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_LAN:"
> -A in_LAN -m conntrack --ctstate INVALID -j DROP
> -A in_LAN -m limit --limit 1/sec -j LOG --log-prefix "IN-LAN:"
> -A in_LAN -j DROP
> -A in_cogent -p icmp -m conntrack --ctstate RELATED -j ACCEPT
> -A in_cogent -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A in_cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
> -A in_cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
> -A in_cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
> -A in_cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
> -A in_cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
> -A in_cogent -s 207.136.236.70/32 -p tcp -m tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
> -A in_cogent -d 38.105.201.108/32 -p udp -m udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
> -A in_cogent -d 38.105.201.108/32 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
> -A in_cogent -s 54.69.126.245/32 -p udp -m udp --dport 4500 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
> -A in_cogent -s 54.69.126.245/32 -p icmp -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
> -A in_cogent -p icmp -m conntrack --ctstate NEW,ESTABLISHED -m icmp --icmp-type 8 -j ACCEPT
> -A in_cogent -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A in_cogent -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A in_cogent -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A in_cogent -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
> -A in_cogent -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
> -A in_cogent -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_cogent:"
> -A in_cogent -m conntrack --ctstate INVALID -j DROP
> -A in_cogent -m limit --limit 1/sec -j LOG --log-prefix "IN-cogent:"
> -A in_cogent -j DROP
> -A in_cogent2dmz -p icmp -m conntrack --ctstate RELATED -j ACCEPT
> -A in_cogent2dmz -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
> -A in_cogent2dmz -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
> -A in_cogent2dmz -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
> -A in_cogent2dmz -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
> -A in_cogent2dmz -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
> -A in_cogent2dmz -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
> -A in_cogent2dmz -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
> -A in_cogent2lan -p icmp -m conntrack --ctstate RELATED -j ACCEPT
> -A in_cogent2lan -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
> -A in_cogent2lan -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
> -A in_cogent2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
> -A in_cogent2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
> -A in_cogent2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
> -A in_cogent2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
> -A in_cogent2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
> -A in_dmz2cogent -p icmp -m conntrack --ctstate RELATED -j ACCEPT
> -A in_dmz2cogent -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
> -A in_dmz2cogent -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
> -A in_dmz2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
> -A in_dmz2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
> -A in_dmz2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
> -A in_dmz2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
> -A in_dmz2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
> -A in_global -p icmp -m conntrack --ctstate RELATED -j ACCEPT
> -A in_global -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A in_global -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
> -A in_global -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
> -A in_global -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
> -A in_global -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
> -A in_global -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
> -A in_global -s 207.136.236.70/32 -p tcp -m tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
> -A in_global -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A in_global -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A in_global -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A in_global -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
> -A in_global -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
> -A in_global -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID in_global:"
> -A in_global -m conntrack --ctstate INVALID -j DROP
> -A in_global -m limit --limit 1/sec -j LOG --log-prefix "IN-global:"
> -A in_global -j DROP
> -A in_lan2cogent -p icmp -m conntrack --ctstate RELATED -j ACCEPT
> -A in_lan2cogent -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
> -A in_lan2cogent -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
> -A in_lan2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
> -A in_lan2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
> -A in_lan2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
> -A in_lan2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
> -A in_lan2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
> -A out_DMZ -p icmp -m conntrack --ctstate RELATED -j ACCEPT
> -A out_DMZ -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
> -A out_DMZ -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
> -A out_DMZ -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
> -A out_DMZ -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
> -A out_DMZ -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
> -A out_DMZ -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
> -A out_DMZ -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
> -A out_DMZ -p udp -m udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A out_DMZ -p tcp -m tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A out_DMZ -p icmp -m conntrack --ctstate ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
> -A out_DMZ -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A out_DMZ -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A out_DMZ -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A out_DMZ -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
> -A out_DMZ -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
> -A out_DMZ -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_DMZ:"
> -A out_DMZ -m conntrack --ctstate INVALID -j DROP
> -A out_DMZ -m limit --limit 1/sec -j LOG --log-prefix "OUT-DMZ:"
> -A out_DMZ -j DROP
> -A out_LAN -p icmp -m conntrack --ctstate RELATED -j ACCEPT
> -A out_LAN -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
> -A out_LAN -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
> -A out_LAN -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
> -A out_LAN -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
> -A out_LAN -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
> -A out_LAN -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
> -A out_LAN -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
> -A out_LAN -d 172.17.16.0/24 -p tcp -m tcp --sport 22 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A out_LAN -d 207.136.236.70/32 -p tcp -m tcp --sport 22 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A out_LAN -d 192.168.1.0/24 -p tcp -m tcp --sport 22 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A out_LAN -p tcp -m tcp --sport 80 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A out_LAN -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A out_LAN -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A out_LAN -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A out_LAN -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
> -A out_LAN -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
> -A out_LAN -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_LAN:"
> -A out_LAN -m conntrack --ctstate INVALID -j DROP
> -A out_LAN -m limit --limit 1/sec -j LOG --log-prefix "OUT-LAN:"
> -A out_LAN -j DROP
> -A out_cogent -p icmp -m conntrack --ctstate RELATED -j ACCEPT
> -A out_cogent -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
> -A out_cogent -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
> -A out_cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
> -A out_cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
> -A out_cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
> -A out_cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
> -A out_cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
> -A out_cogent -d 207.136.236.70/32 -p tcp -m tcp --sport 22 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A out_cogent -s 38.105.201.108/32 -p udp -m udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A out_cogent -s 38.105.201.108/32 -p tcp -m tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A out_cogent -d 54.69.126.245/32 -p udp -m udp --sport 4500 -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A out_cogent -d 54.69.126.245/32 -p icmp -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A out_cogent -p icmp -m conntrack --ctstate ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
> -A out_cogent -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A out_cogent -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A out_cogent -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A out_cogent -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
> -A out_cogent -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
> -A out_cogent -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_cogent:"
> -A out_cogent -m conntrack --ctstate INVALID -j DROP
> -A out_cogent -m limit --limit 1/sec -j LOG --log-prefix "OUT-cogent:"
> -A out_cogent -j DROP
> -A out_cogent2dmz -p icmp -m conntrack --ctstate RELATED -j ACCEPT
> -A out_cogent2dmz -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
> -A out_cogent2dmz -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A out_cogent2dmz -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
> -A out_cogent2dmz -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
> -A out_cogent2dmz -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
> -A out_cogent2dmz -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
> -A out_cogent2dmz -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
> -A out_cogent2lan -p icmp -m conntrack --ctstate RELATED -j ACCEPT
> -A out_cogent2lan -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
> -A out_cogent2lan -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A out_cogent2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
> -A out_cogent2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
> -A out_cogent2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
> -A out_cogent2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
> -A out_cogent2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
> -A out_dmz2cogent -p icmp -m conntrack --ctstate RELATED -j ACCEPT
> -A out_dmz2cogent -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
> -A out_dmz2cogent -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A out_dmz2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
> -A out_dmz2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
> -A out_dmz2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
> -A out_dmz2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
> -A out_dmz2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
> -A out_global -p icmp -m conntrack --ctstate RELATED -j ACCEPT
> -A out_global -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
> -A out_global -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
> -A out_global -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
> -A out_global -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
> -A out_global -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
> -A out_global -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
> -A out_global -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
> -A out_global -d 207.136.236.70/32 -p tcp -m tcp --sport 22 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A out_global -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A out_global -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A out_global -p tcp -m tcp --tcp-flags ACK ACK -m conntrack --ctstate INVALID,NEW -j DROP
> -A out_global -p tcp -m tcp --tcp-flags RST RST -m conntrack --ctstate INVALID,NEW -j DROP
> -A out_global -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate INVALID,NEW -j DROP
> -A out_global -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "BLOCKED INVALID out_global:"
> -A out_global -m conntrack --ctstate INVALID -j DROP
> -A out_global -m limit --limit 1/sec -j LOG --log-prefix "OUT-global:"
> -A out_global -j DROP
> -A out_lan2cogent -p icmp -m conntrack --ctstate RELATED -j ACCEPT
> -A out_lan2cogent -p tcp -m conntrack --ctstate RELATED -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
> -A out_lan2cogent -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A out_lan2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper ftp -j ACCEPT
> -A out_lan2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper irc -j ACCEPT
> -A out_lan2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper sip -j ACCEPT
> -A out_lan2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper pptp -j ACCEPT
> -A out_lan2cogent -m conntrack --ctstate RELATED,ESTABLISHED -m helper --helper proto_gre -j ACCEPT
> COMMIT
> # Completed on Fri Sep 22 13:54:08 2017
>
> -----
>
> Sep 22 13:56:53 ip-172-18-30-93 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-77-generic, x86_64)
> Sep 22 13:56:53 ip-172-18-30-93 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Sep 22 13:56:53 ip-172-18-30-93 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Sep 22 13:56:53 ip-172-18-30-93 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> Sep 22 13:56:53 ip-172-18-30-93 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> Sep 22 13:56:53 ip-172-18-30-93 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Sep 22 13:56:53 ip-172-18-30-93 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Sep 22 13:56:53 ip-172-18-30-93 charon: 00[CFG] line 6: missing token
> Sep 22 13:56:53 ip-172-18-30-93 charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
> Sep 22 13:56:53 ip-172-18-30-93 charon: 00[CFG] loaded 0 RADIUS server configurations
> Sep 22 13:56:53 ip-172-18-30-93 charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
> Sep 22 13:56:53 ip-172-18-30-93 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
> Sep 22 13:56:53 ip-172-18-30-93 charon: 00[JOB] spawning 16 worker threads
> Sep 22 13:56:53 ip-172-18-30-93 charon: 11[CFG] received stroke: add connection 'site-1-static-ip'
> Sep 22 13:56:53 ip-172-18-30-93 charon: 11[CFG] added configuration 'site-1-static-ip'
> Sep 22 13:56:53 ip-172-18-30-93 charon: 13[CFG] received stroke: route 'site-1-static-ip'
> Sep 22 13:57:15 ip-172-18-30-93 charon: 04[KNL] creating acquire job for policy 172.18.30.93/32[udp/37849] === 172.17.16.40/32[udp/1025] with reqid {1}
> Sep 22 13:57:15 ip-172-18-30-93 charon: 04[IKE] initiating IKE_SA site-1-static-ip[1] to 38.105.201.108
> Sep 22 13:57:15 ip-172-18-30-93 charon: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
> Sep 22 13:57:15 ip-172-18-30-93 charon: 04[NET] sending packet: from 172.18.30.93[500] to 38.105.201.108[500] (968 bytes)
> Sep 22 13:57:19 ip-172-18-30-93 charon: 02[IKE] retransmit 1 of request with message ID 0
> Sep 22 13:57:19 ip-172-18-30-93 charon: 02[NET] sending packet: from 172.18.30.93[500] to 38.105.201.108[500] (968 bytes)
> Sep 22 13:57:27 ip-172-18-30-93 charon: 01[IKE] retransmit 2 of request with message ID 0
> Sep 22 13:57:27 ip-172-18-30-93 charon: 01[NET] sending packet: from 172.18.30.93[500] to 38.105.201.108[500] (968 bytes)
>
> -----
>
> Sep 22 13:59:30 nyfw1 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-93-generic, x86_64)
> Sep 22 13:59:30 nyfw1 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Sep 22 13:59:30 nyfw1 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Sep 22 13:59:30 nyfw1 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> Sep 22 13:59:30 nyfw1 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> Sep 22 13:59:30 nyfw1 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Sep 22 13:59:30 nyfw1 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Sep 22 13:59:30 nyfw1 charon: 00[CFG] line 6: missing token
> Sep 22 13:59:30 nyfw1 charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
> Sep 22 13:59:30 nyfw1 charon: 00[CFG] loaded 0 RADIUS server configurations
> Sep 22 13:59:30 nyfw1 charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
> Sep 22 13:59:30 nyfw1 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
> Sep 22 13:59:30 nyfw1 charon: 00[JOB] spawning 16 worker threads
> Sep 22 13:59:30 nyfw1 charon: 12[CFG] received stroke: add connection 'site-1-static-ip'
> Sep 22 13:59:30 nyfw1 charon: 12[CFG] added configuration 'site-1-static-ip'
> Sep 22 13:59:30 nyfw1 charon: 04[CFG] received stroke: route 'site-1-static-ip'
>
> -----
>
> root at ip-172-18-30-93:/etc# ip ro sho tab all
> 172.17.0.0/16 via 172.18.30.1 dev eth0 table 220 proto static src 172.18.30.93
> 192.168.1.0/24 via 172.18.30.1 dev eth0 table 220 proto static src 172.18.30.93
> default via 172.18.30.1 dev eth0
> 10.60.30.0/24 via 10.60.30.2 dev tun0
> 10.60.30.2 dev tun0 proto kernel scope link src 10.60.30.1
> 172.18.14.0/24 dev eth1 proto kernel scope link src 172.18.14.157
> 172.18.30.0/24 dev eth0 proto kernel scope link src 172.18.30.93
> local 10.60.30.1 dev tun0 table local proto kernel scope host src 10.60.30.1
> local 54.69.126.245 dev lo table local proto kernel scope host src 54.69.126.245
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
> local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
> broadcast 172.18.14.0 dev eth1 table local proto kernel scope link src 172.18.14.157
> local 172.18.14.157 dev eth1 table local proto kernel scope host src 172.18.14.157
> broadcast 172.18.14.255 dev eth1 table local proto kernel scope link src 172.18.14.157
> broadcast 172.18.30.0 dev eth0 table local proto kernel scope link src 172.18.30.93
> local 172.18.30.93 dev eth0 table local proto kernel scope host src 172.18.30.93
> broadcast 172.18.30.255 dev eth0 table local proto kernel scope link src 172.18.30.93
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium
> fe80::/64 dev eth0 proto kernel metric 256 pref medium
> fe80::/64 dev eth1 proto kernel metric 256 mtu 9001 pref medium
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium
> local ::1 dev lo table local proto none metric 0 pref medium
> local fe80::40e:91ff:fe1c:8ff0 dev lo table local proto none metric 0 pref medium
> local fe80::40f:82ff:feac:c99e dev lo table local proto none metric 0 pref medium
> ff00::/8 dev eth0 table local metric 256 pref medium
> ff00::/8 dev eth1 table local metric 256 mtu 9001 pref medium
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium
>
> -----
>
> root at nyfw1:/etc# ip ro sho tab all
> default via 207.239.116.97 dev enp2s0f2 table Global
> 38.105.201.96/27 dev enp2s0f1 table Global proto kernel scope link src 38.105.201.102
> 172.17.10.0/24 dev bond0 table Global proto kernel scope link src 172.17.10.3
> 172.17.16.0/24 via 172.17.10.254 dev bond0 table Global
> 172.17.19.0/24 dev vlan19 table Global proto kernel scope link src 172.17.19.4
> 172.18.0.0/16 dev enp2s0f1 table Global scope link src 38.105.201.108
> 192.168.1.0/24 via 172.17.10.254 dev bond0 table Global
> 207.239.116.96/27 dev enp2s0f2 table Global proto kernel scope link src 207.239.116.102
> default via 38.105.201.97 dev enp2s0f1 table Cogent
> 38.105.201.96/27 dev enp2s0f1 table Cogent proto kernel scope link src 38.105.201.102
> 54.69.126.245 via 38.105.201.97 dev enp2s0f1 table Cogent src 38.105.201.108
> 172.17.10.0/24 dev bond0 table Cogent proto kernel scope link src 172.17.10.3
> 172.17.16.0/24 via 172.17.10.254 dev bond0 table Cogent
> 172.17.19.0/24 dev vlan19 table Cogent proto kernel scope link src 172.17.19.4
> 172.18.0.0/16 dev enp2s0f1 table Cogent scope link src 38.105.201.108
> 192.168.1.0/24 via 172.17.10.254 dev bond0 table Cogent
> 207.239.116.96/27 dev enp2s0f2 table Cogent proto kernel scope link src 207.239.116.102
> default via 172.17.10.254 dev bond0 table NYlan
> 38.105.201.96/27 dev enp2s0f1 table NYlan proto kernel scope link src 38.105.201.102
> 54.69.126.245 via 38.105.201.97 dev enp2s0f1 table NYlan src 38.105.201.108
> 172.17.10.0/24 dev bond0 table NYlan proto kernel scope link src 172.17.10.3
> 172.17.16.0/24 via 172.17.10.254 dev bond0 table NYlan
> 172.17.19.0/24 dev vlan19 table NYlan proto kernel scope link src 172.17.19.4
> 172.18.0.0/16 dev enp2s0f1 table NYlan scope link src 38.105.201.108
> 192.168.1.0/24 via 172.17.10.254 dev bond0 table NYlan
> 207.239.116.96/27 dev enp2s0f2 table NYlan proto kernel scope link src 207.239.116.102
> 172.18.0.0/16 via 38.105.201.97 dev enp2s0f1 table 220 proto static src 172.17.10.3
> default via 38.105.201.97 dev enp2s0f1
> 38.105.201.96/27 dev enp2s0f1 proto kernel scope link src 38.105.201.102
> 54.69.126.245 via 38.105.201.97 dev enp2s0f1 src 38.105.201.108
> 172.17.10.0/24 dev bond0 proto kernel scope link src 172.17.10.3
> 172.17.16.0/24 via 172.17.10.254 dev bond0
> 172.17.19.0/24 dev vlan19 proto kernel scope link src 172.17.19.4
> 172.18.0.0/16 dev enp2s0f1 scope link src 38.105.201.108
> 192.168.1.0/24 via 172.17.10.254 dev bond0
> 192.168.100.0/24 dev bond1 proto kernel scope link src 192.168.100.3 linkdown
> 207.239.116.96/27 dev enp2s0f2 proto kernel scope link src 207.239.116.102
> broadcast 38.105.201.96 dev enp2s0f1 table local proto kernel scope link src 38.105.201.102
> local 38.105.201.102 dev enp2s0f1 table local proto kernel scope host src 38.105.201.102
> local 38.105.201.108 dev enp2s0f1 table local proto kernel scope host src 38.105.201.108
> broadcast 38.105.201.127 dev enp2s0f1 table local proto kernel scope link src 38.105.201.102
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
> local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
> broadcast 172.17.10.0 dev bond0 table local proto kernel scope link src 172.17.10.3
> local 172.17.10.3 dev bond0 table local proto kernel scope host src 172.17.10.3
> broadcast 172.17.10.255 dev bond0 table local proto kernel scope link src 172.17.10.3
> broadcast 172.17.19.0 dev vlan19 table local proto kernel scope link src 172.17.19.4
> local 172.17.19.4 dev vlan19 table local proto kernel scope host src 172.17.19.4
> broadcast 172.17.19.255 dev vlan19 table local proto kernel scope link src 172.17.19.4
> broadcast 192.168.100.0 dev bond1 table local proto kernel scope link src 192.168.100.3 linkdown
> local 192.168.100.3 dev bond1 table local proto kernel scope host src 192.168.100.3
> broadcast 192.168.100.255 dev bond1 table local proto kernel scope link src 192.168.100.3 linkdown
> broadcast 207.239.116.96 dev enp2s0f2 table local proto kernel scope link src 207.239.116.102
> local 207.239.116.102 dev enp2s0f2 table local proto kernel scope host src 207.239.116.102
> broadcast 207.239.116.127 dev enp2s0f2 table local proto kernel scope link src 207.239.116.102
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium
> fe80::/64 dev enp2s0f2 proto kernel metric 256 pref medium
> fe80::/64 dev eno2 proto kernel metric 256 pref medium
> fe80::/64 dev bond0 proto kernel metric 256 pref medium
> fe80::/64 dev enp2s0f1 proto kernel metric 256 pref medium
> fe80::/64 dev enp2s0f3 proto kernel metric 256 pref medium
> fe80::/64 dev vlan19 proto kernel metric 256 pref medium
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium
> local ::1 dev lo table local proto none metric 0 pref medium
> local fe80::3617:ebff:fef1:a537 dev lo table local proto none metric 0 pref medium
> local fe80::3617:ebff:fef1:a537 dev lo table local proto none metric 0 pref medium
> local fe80::3617:ebff:fef1:a538 dev lo table local proto none metric 0 pref medium
> local fe80::a236:9fff:fea6:f851 dev lo table local proto none metric 0 pref medium
> local fe80::a236:9fff:fea6:f852 dev lo table local proto none metric 0 pref medium
> local fe80::a236:9fff:fea6:f853 dev lo table local proto none metric 0 pref medium
> ff00::/8 dev enp2s0f2 table local metric 256 pref medium
> ff00::/8 dev eno2 table local metric 256 pref medium
> ff00::/8 dev bond0 table local metric 256 pref medium
> ff00::/8 dev enp2s0f1 table local metric 256 pref medium
> ff00::/8 dev enp2s0f3 table local metric 256 pref medium
> ff00::/8 dev vlan19 table local metric 256 pref medium
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium
>
> ----
>
> root at ip-172-18-30-93:/etc# ip ru ls
> 0: from all lookup local
> 220: from all lookup 220
> 32766: from all lookup main
> 32767: from all lookup default
>
> -----
>
> root at nyfw1:/etc# ip ru ls
> 0: from all lookup local
> 220: from all lookup 220
> 1100: from all fwmark 0x1/0x3f lookup Cogent
> 1200: from all fwmark 0x2/0x3f lookup Global
> 1300: from all fwmark 0x12/0x3f lookup NYlan
> 1400: from 38.105.201.102 lookup Cogent
> 1401: from 38.105.201.108 lookup Cogent
> 1500: from 207.239.116.102 lookup Global
> 1600: from 172.17.10.3 lookup NYlan
> 32766: from all lookup main
> 32767: from all lookup default
>
> ----
>
> root at ip-172-18-30-93:/etc/strongswan.d/charon# ip addr ls
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> valid_lft forever preferred_lft forever
> inet 54.69.126.245/32 scope global lo
> valid_lft forever preferred_lft forever
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
> link/ether 06:0f:82:ac:c9:9e brd ff:ff:ff:ff:ff:ff
> inet 172.18.30.93/24 brd 172.18.30.255 scope global eth0
> valid_lft forever preferred_lft forever
> inet6 fe80::40f:82ff:feac:c99e/64 scope link
> valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
> link/ether 06:0e:91:1c:8f:f0 brd ff:ff:ff:ff:ff:ff
> inet 172.18.14.157/24 brd 172.18.14.255 scope global eth1
> valid_lft forever preferred_lft forever
> inet6 fe80::40e:91ff:fe1c:8ff0/64 scope link
> valid_lft forever preferred_lft forever
> 16: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
> link/none
> inet 10.60.30.1 peer 10.60.30.2/32 scope global tun0
> valid_lft forever preferred_lft forever
> 17: eth2: <BROADCAST,MULTICAST> mtu 9001 qdisc pfifo_fast state DOWN group default qlen 1000
> link/ether 06:e4:f7:89:42:5b brd ff:ff:ff:ff:ff:ff
> 18: ip_vti0 at NONE: <NOARP> mtu 1332 qdisc noop state DOWN group default qlen 1
> link/ipip 0.0.0.0 brd 0.0.0.0
>
> -----
>
> root at nyfw1:/etc# ip addr ls
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> valid_lft forever preferred_lft forever
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eno1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000
> link/ether 34:17:eb:f1:a5:37 brd ff:ff:ff:ff:ff:ff
> 3: enp2s0f0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000
> link/ether 34:17:eb:f1:a5:37 brd ff:ff:ff:ff:ff:ff
> 4: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
> link/ether 34:17:eb:f1:a5:38 brd ff:ff:ff:ff:ff:ff
> inet6 fe80::3617:ebff:fef1:a538/64 scope link
> valid_lft forever preferred_lft forever
> 5: enp2s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
> link/ether a0:36:9f:a6:f8:51 brd ff:ff:ff:ff:ff:ff
> inet 38.105.201.102/27 brd 38.105.201.127 scope global enp2s0f1
> valid_lft forever preferred_lft forever
> inet 38.105.201.108/32 scope global enp2s0f1
> valid_lft forever preferred_lft forever
> inet6 fe80::a236:9fff:fea6:f851/64 scope link
> valid_lft forever preferred_lft forever
> 6: enp2s0f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
> link/ether a0:36:9f:a6:f8:52 brd ff:ff:ff:ff:ff:ff
> inet 207.239.116.102/27 brd 207.239.116.127 scope global enp2s0f2
> valid_lft forever preferred_lft forever
> inet6 fe80::a236:9fff:fea6:f852/64 scope link
> valid_lft forever preferred_lft forever
> 7: enp2s0f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
> link/ether a0:36:9f:a6:f8:53 brd ff:ff:ff:ff:ff:ff
> inet6 fe80::a236:9fff:fea6:f853/64 scope link
> valid_lft forever preferred_lft forever
> 8: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
> link/ether 34:17:eb:f1:a5:37 brd ff:ff:ff:ff:ff:ff
> inet 172.17.10.3/24 brd 172.17.10.255 scope global bond0
> valid_lft forever preferred_lft forever
> inet6 fe80::3617:ebff:fef1:a537/64 scope link
> valid_lft forever preferred_lft forever
> 9: bond1: <NO-CARRIER,BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
> link/ether 72:db:73:34:3b:51 brd ff:ff:ff:ff:ff:ff
> inet 192.168.100.3/24 brd 192.168.100.255 scope global bond1
> valid_lft forever preferred_lft forever
> 10: ip_vti0 at NONE: <NOARP> mtu 1332 qdisc noop state DOWN group default qlen 1
> link/ipip 0.0.0.0 brd 0.0.0.0
> 13: vlan19 at bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
> link/ether 34:17:eb:f1:a5:37 brd ff:ff:ff:ff:ff:ff
> inet 172.17.19.4/24 brd 172.17.19.255 scope global vlan19
> valid_lft forever preferred_lft forever
> inet6 fe80::3617:ebff:fef1:a537/64 scope link
> valid_lft forever preferred_lft forever
>
> -----
>
> Current problem:
>
> Can't fully establish tunnel.
>
> Thanks,
> Whit
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170922/db6bb33a/attachment-0001.sig>
More information about the Users
mailing list