[strongSwan] Strongswan IPSec VPN is up but does not pass traffic

Shuchen He georgehsc at hotmail.com
Wed Mar 14 00:48:44 CET 2018


Hi Noel,

Thank you for the update. Please see below output. Yes, I understand the DH group is better to be 5, thanks for the reminder.

iptables-save -c
# Generated by iptables-save v1.6.2 on Wed Mar 14 07:34:57 2018
*raw
:PREROUTING ACCEPT [1610:117869]
:OUTPUT ACCEPT [2109:892186]
COMMIT
# Completed on Wed Mar 14 07:34:57 2018
# Generated by iptables-save v1.6.2 on Wed Mar 14 07:34:57 2018
*nat
:PREROUTING ACCEPT [32:14382]
:INPUT ACCEPT [32:14382]
:OUTPUT ACCEPT [31:2493]
:POSTROUTING ACCEPT [5:208]
[26:2285] -A POSTROUTING -o usb0 -j MASQUERADE
COMMIT
# Completed on Wed Mar 14 07:34:57 2018
# Generated by iptables-save v1.6.2 on Wed Mar 14 07:34:57 2018
*mangle
:PREROUTING ACCEPT [1611:117909]
:INPUT ACCEPT [1611:117909]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2117:893322]
:POSTROUTING ACCEPT [2121:893390]
COMMIT
# Completed on Wed Mar 14 07:34:57 2018
# Generated by iptables-save v1.6.2 on Wed Mar 14 07:34:57 2018
*filter
:INPUT ACCEPT [1612:117949]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2120:893774]
[0:0] -A FORWARD -i eth0 -j ACCEPT
[0:0] -A FORWARD -i wlan0 -j ACCEPT
COMMIT
# Completed on Wed Mar 14 07:34:57 2018
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 50:ff:99:30:13:10 brd ff:ff:ff:ff:ff:ff
    inet 192.168.199.100/24 brd 192.168.199.255 scope global eth0
    inet 192.168.199.254/24 brd 192.168.199.254 scope global secondary eth0
    inet6 fe80::52ff:99ff:fe30:1310/64 scope link
  valid_lft forever preferred_lft forever
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
    link/ether 50:ff:99:30:13:11 brd ff:ff:ff:ff:ff:ff
4: tunl0: <NOARP> mtu 1480 qdisc noop state DOWN
    link/ipip 0.0.0.0 brd 0.0.0.0
5: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
    link/sit 0.0.0.0 brd 0.0.0.0
6: ip6tnl0: <NOARP> mtu 1452 qdisc noop state DOWN
    link/tunnel6 :: brd ::
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 08:ea:40:72:28:b7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.126.1/24 brd 192.168.126.255 scope global wlan0
    inet6 fe80::aea:40ff:fe72:28b7/64 scope link
       valid_lft forever preferred_lft forever
8: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 02:1e:10:1f:00:00 brd ff:ff:ff:ff:ff:ff
    inet 10.168.60.225/30 brd 10.168.60.227 scope global usb0
    inet 10.2.1.213/32 scope global usb0
    inet6 fe80::1e:10ff:fe1f:0/64 scope link
       valid_lft forever preferred_lft forever
# ip r show table all
10.2.1.0/24 via 10.168.60.226 dev usb0  table 220  proto static  src 192.168.199.100
default via 10.168.60.226 dev usb0
10.168.60.224/30 dev usb0  proto kernel  scope link  src 10.168.60.225
192.168.126.0/24 dev wlan0  proto kernel  scope link  src 192.168.126.1
192.168.199.0/24 dev eth0  proto kernel  scope link  src 192.168.199.100
local 10.2.1.213 dev usb0  table local  proto kernel  scope host src 10.2.1.213
broadcast 10.168.60.224 dev usb0  table local  proto kernel  scope link  src 10.168.60.225
local 10.168.60.225 dev usb0  table local  proto kernel  scope host  src 10.168.60.225
broadcast 10.168.60.227 dev usb0  table local  proto kernel  scope link  src 10.168.60.225
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link src 127.0.0.1
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1
broadcast 192.168.126.0 dev wlan0  table local  proto kernel  scope link  src 192.168.126.1
local 192.168.126.1 dev wlan0  table local  proto kernel  scope host  src 192.168.126.1
broadcast 192.168.126.255 dev wlan0  table local  proto kernel  scope link  src 192.168.126.1
broadcast 192.168.199.0 dev eth0  table local  proto kernel  scope link  src 192.168.199.100
local 192.168.199.100 dev eth0  table local  proto kernel  scope host  src 192.168.199.100
local 192.168.199.254 dev eth0  table local  proto kernel  scope host  src 192.168.199.100
broadcast 192.168.199.254 dev eth0  table local  proto kernel  scope link  src 192.168.199.100
broadcast 192.168.199.255 dev eth0  table local  proto kernel  scope link  src 192.168.199.100
unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101 hoplimit 255
fe80::/64 dev wlan0  proto kernel  metric 256
fe80::/64 dev eth0  proto kernel  metric 256
fe80::/64 dev usb0  proto kernel  metric 256
unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101 hoplimit 255
local ::1 via :: dev lo  table local  proto none  metric 0
local fe80:: via :: dev lo  table local  proto none  metric 0
local fe80:: via :: dev lo  table local  proto none  metric 0
local fe80:: via :: dev lo  table local  proto none  metric 0
local fe80::1e:10ff:fe1f:0 via :: dev lo  table local  proto none metric 0
local fe80::aea:40ff:fe72:28b7 via :: dev lo  table local  proto none  metric 0
local fe80::52ff:99ff:fe30:1310 via :: dev lo  table local  proto none  metric 0
ff00::/8 dev wlan0  table local  metric 256
ff00::/8 dev eth0  table local  metric 256
ff00::/8 dev usb0  table local  metric 256
unreachable default dev lo  table unspec  proto kernel  metric 429
4967295  error -101 hoplimit 255
# ip ru
0:      from all lookup local
220:    from all lookup 220
32766:  from all lookup main
32767:  from all lookup default
# ip route list table 220
10.2.1.0/24 via 10.168.60.226 dev usb0  proto static  src 192.168.199.100

________________________________
From: Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting>
Sent: Wednesday, 14 March 2018 12:24 AM
To: Shuchen He; users at lists.strongswan.org
Subject: Re: [strongSwan] Strongswan IPSec VPN is up but does not pass traffic

Hi,

Please provide the outputs of `iptables-save -c`, `ip a`, `ip r show table all` and `ip ru`.
Btw, modp768 is considered broken, same for 1024.

Kind regards

Noel

On 12.03.2018 11:45, Shuchen He wrote:
> Hi,
>
> I have setup a VPN between ASA and strongswan using IKE1. The strongswan work as remote VPN using PSK XAuth.
>
> The VPN tunnel is up but I can not ping the remote site. Below is the configuration and some output.
>
> My observation at the moment is that the Linux kernel has setup everything but the TS traffic just does not leave the Linux box.  When I ping remote site, I can see "ip xfrm state" actually shows a flow for my traffic... but the flow is somehow dropped by either the kernel or strongswan.
>
>  Can you please let me know what else I should do to further troubleshoot the issue?
>
> *Configuration
> *
> connections {
>     home {
>         aggressive = yes
>         dpd_delay = 30
>         dpd_timeout = 90
>         version = 1
>         remote_addrs = 126.2.1.4
>         # uncomment if the responder only supports crappy crypto. But seriously,
>         # every single one of those algorithms is broken. Better spend some $$$
>         # on a better solution.
>         proposals = aes256-sha1-modp1024
>         vips = 0.0.0.0,::
>         local-1 {
>             auth = psk
>         id = acompanyTest
>         }
>         local-2 {
>             auth = xauth-generic
>             xauth_id = acompanyTest
>         }
>         remote-1 {
>             auth = psk
>             # You might have to set this to the correct value, if the responder isn't configure correctly.
>             #id = 126.2.1.4
>         }
>         children {
>             home {
>                 remote_ts = 10.2.1.0/24
>         #local_ts=192.168.199.0/24,0.0.0.0
>                 # uncomment if the responder only supports crappy crypto. But seriously,
>                 # every single one of those algorithms is broken. Better spend some $$$
>                 # on a better solution.
>                 # esp_proposals = 3des-md5!
>                 # Use this, if you want PFS with DH group 2.
>                 # esp_proposals = 3des-md5-modp1024!
>         esp_proposals = aes128-sha1-modp768
>             }
>         }
>    }
> }
>     secrets {
>         ike-home {
>             id = 126.2.1.4
>             secret = "acompany123"
>         }
>         eap-home {
>             id = acompanyTest
>             secret = "acompany123"
>         }
>     }
>
> # ipsec statusall
> Status of IKE charon daemon (strongSwan 5.6.2, Linux 3.0.35-2666-gbdde708-g889281e-dirty, armv7l):
>   uptime: 18 minutes, since Mar 12 18:15:45 2018
>   malloc: sbrk 253952, mmap 0, used 158560, free 95392
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
>   loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
> Listening IP addresses:
>   192.168.199.100
>   192.168.199.254
>   192.168.199.141
>   192.168.126.1
>   10.39.63.211
> Connections:
>         site:  %any...126.2.1.4  IKEv1
>         site:   local:  [mylocalsite] uses pre-shared key authentication
>         site:   remote: uses pre-shared key authentication
>         site:   child:  192.168.199.0/24 === 10.2.1.0/24 TUNNEL
>         home:  %any...126.2.1.4  IKEv1 Aggressive, dpddelay=30s
>         home:   local:  [acompanyTest] uses pre-shared key authentication
>         home:   local:  uses XAuth authentication: generic with XAuth identity 'acompanyTest'
>         home:   remote: uses pre-shared key authentication
>         home:   child:  dynamic === 10.2.1.0/24 TUNNEL, dpdaction=clear
> Routed Connections:
>         site{1}:  ROUTED, TUNNEL, reqid 1
>         site{1}:   192.168.199.0/24 === 10.2.1.0/24
> Security Associations (1 up, 0 connecting):
>         home[1]: ESTABLISHED 17 minutes ago, 10.39.63.211[acompanyTest]...126.2.1.4[126.2.1.4]
>         home[1]: IKEv1 SPIs: 504550d01ee905e2_i* 2311e0ae0c6c454f_r, rekeying in 3 hours
>         home[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>         home{2}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cc621d5e_i 3545bd6a_o
>         home{2}:  AES_CBC_128/HMAC_SHA1_96/MODP_768, 0 bytes_i, 0 bytes_o, rekeying in 40 minutes
>         home{2}:   10.2.1.211/32 === 10.2.1.0/24
> root at wheezy-armel:~ 18:33:49
> # ifconfig
> eth0      Link encap:Ethernet  HWaddr 50:ff:99:30:13:10
>           inet addr:192.168.199.100  Bcast:192.168.199.255  Mask:255.255.255.0
>           inet6 addr: fe80::52ff:99ff:fe30:1310/64 Scope:Link
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:3585 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:1318 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:422967 (413.0 KiB)  TX bytes:177070 (172.9 KiB)
> eth1      Link encap:Ethernet  HWaddr 50:ff:99:30:13:11
>           inet addr:192.168.199.141  Bcast:192.168.199.255  Mask:255.255.255.0
>           inet6 addr: fe80::52ff:99ff:fe30:1311/64 Scope:Link
>           UP BROADCAST MULTICAST  MTU:1500  Metric:1
>           RX packets:11288 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:2799722 (2.6 MiB)  TX bytes:3078 (3.0 KiB)
>           Interrupt:155 Base address:0x8000
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:1334 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:1334 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:465386 (454.4 KiB)  TX bytes:465386 (454.4 KiB)
> usb0      Link encap:Ethernet  HWaddr 02:1e:10:1f:00:00
>           inet addr:10.39.63.211  Bcast:10.39.63.215  Mask:255.255.255.248
>           inet6 addr: fe80::1e:10ff:fe1f:0/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:1049 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:973 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:67244 (65.6 KiB)  TX bytes:153707 (150.1 KiB)
> wlan0     Link encap:Ethernet  HWaddr 08:ea:40:72:28:b7
>           inet addr:192.168.126.1  Bcast:192.168.126.255  Mask:255.255.255.0
>           inet6 addr: fe80::aea:40ff:fe72:28b7/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:3229 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:0 (0.0 B)  TX bytes:112 (112.0 B)
>
> # route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 0.0.0.0         10.39.63.209    0.0.0.0         UG    0      0        0 usb0
> 10.39.63.208    0.0.0.0         255.255.255.248 U     0      0        0 usb0
> 192.168.126.0   0.0.0.0         255.255.255.0   U     0      0        0 wlan0
> 192.168.199.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
> 192.168.199.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
>
> # ip route show table 220
> 10.2.1.0/24 via 10.39.63.209 dev usb0  proto static  src 192.168.199.100
>
> # ip -s xfrm state
> src 10.39.63.211 dst 126.2.1.4
>     proto esp spi 0x3545bd6a(893762922) reqid 2(0x00000002) mode tunnel
>     replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)
>     auth-trunc hmac(sha1) 0xaeb85f4b30fec0ccc1240cf9f6204a74e1785df5 (160 bits) 96
>     enc cbc(aes) 0xa0711780a30caaad143960ede951ef46 (128 bits)
>     encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 3501(sec), hard 3960(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:52 use -
>     stats:
>       replay-window 0 replay 0 failed 0
> src 126.2.1.4 dst 10.39.63.211
>     proto esp spi 0xcc621d5e(3428982110) reqid 2(0x00000002) mode tunnel
>     replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
>     auth-trunc hmac(sha1) 0xbe6d3dc8b3c032f0059ece1a0234cbd87858d25e (160 bits) 96
>     enc cbc(aes) 0x7d99b233194ab31328cec11ea2ce7aa1 (128 bits)
>     encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 3596(sec), hard 3960(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:52 use -
>     stats:
>       replay-window 0 replay 0 failed 0
> root at wheezy-armel:~ 18:34:25
> # ping -i 192.168.199.100 10.2.1.60
> PING 10.2.1.60 (10.2.1.60) 56(84) bytes of data.
> ^C
> --- 10.2.1.60 ping statistics ---
> 1 packets transmitted, 0 received, 100% packet loss, time 0ms
>
> # ip -s xfrm state
> src 10.39.63.211 dst 126.2.1.4
>     proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
>     replay-window 0 seq 0x00000003 flag  (0x00000000)
>     sel src 192.168.199.100/32 dst 10.2.1.60/32 proto udp sport 48645 dport 1025 uid 0
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 165(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:34:35 use -
>     stats:
>       replay-window 0 replay 0 failed 0
> src 10.39.63.211 dst 126.2.1.4
>     proto esp spi 0x3545bd6a(893762922) reqid 2(0x00000002) mode tunnel
>     replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)
>     auth-trunc hmac(sha1) 0xaeb85f4b30fec0ccc1240cf9f6204a74e1785df5 (160 bits) 96
>     enc cbc(aes) 0xa0711780a30caaad143960ede951ef46 (128 bits)
>     encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 3501(sec), hard 3960(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:52 use -
>     stats:
>       replay-window 0 replay 0 failed 0
> src 126.2.1.4 dst 10.39.63.211
>     proto esp spi 0xcc621d5e(3428982110) reqid 2(0x00000002) mode tunnel
>     replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
>     auth-trunc hmac(sha1) 0xbe6d3dc8b3c032f0059ece1a0234cbd87858d25e (160 bits) 96
>     enc cbc(aes) 0x7d99b233194ab31328cec11ea2ce7aa1 (128 bits)
>     encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 3596(sec), hard 3960(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:52 use -
>     stats:
>       replay-window 0 replay 0 failed 0
> root at wheezy-armel:~ 18:34:37
> # ip -s xfrm policy
> src 10.2.1.211/32 dst 10.2.1.0/24 uid 0
>     dir out action allow index 105 priority 371327 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:52 use -
>     tmpl src 10.39.63.211 dst 126.2.1.4
>         proto esp spi 0x3545bd6a(893762922) reqid 2(0x00000002) mode tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 10.2.1.0/24 dst 10.2.1.211/32 uid 0
>     dir fwd action allow index 98 priority 371327 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:52 use -
>     tmpl src 126.2.1.4 dst 10.39.63.211
>         proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 10.2.1.0/24 dst 10.2.1.211/32 uid 0
>     dir in action allow index 88 priority 371327 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:52 use -
>     tmpl src 126.2.1.4 dst 10.39.63.211
>         proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 192.168.199.0/24 dst 10.2.1.0/24 uid 0
>     dir out action allow index 81 priority 375424 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:48 use -
>     tmpl src 10.39.63.211 dst 126.2.1.4
>         proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 10.2.1.0/24 dst 192.168.199.0/24 uid 0
>     dir fwd action allow index 74 priority 375424 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:48 use -
>     tmpl src 126.2.1.4 dst 10.39.63.211
>         proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 10.2.1.0/24 dst 192.168.199.0/24 uid 0
>     dir in action allow index 64 priority 375424 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:48 use -
>     tmpl src 126.2.1.4 dst 10.39.63.211
>         proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>     socket in action allow index 59 priority 0 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft 0(bytes), hard 0(bytes)
>       limit: soft 0(packets), hard 0(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:44 use 2018-03-12 18:34:33
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>     socket out action allow index 52 priority 0 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft 0(bytes), hard 0(bytes)
>       limit: soft 0(packets), hard 0(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:44 use 2018-03-12 18:34:28
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>     socket in action allow index 43 priority 0 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft 0(bytes), hard 0(bytes)
>       limit: soft 0(packets), hard 0(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:44 use 2018-03-12 18:34:39
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>     socket out action allow index 36 priority 0 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft 0(bytes), hard 0(bytes)
>       limit: soft 0(packets), hard 0(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:44 use 2018-03-12 18:34:39
> src ::/0 dst ::/0 uid 0
>     socket in action allow index 27 priority 0 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft 0(bytes), hard 0(bytes)
>       limit: soft 0(packets), hard 0(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:44 use -
> src ::/0 dst ::/0 uid 0
>     socket out action allow index 20 priority 0 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft 0(bytes), hard 0(bytes)
>       limit: soft 0(packets), hard 0(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:44 use -
> src ::/0 dst ::/0 uid 0
>     socket in action allow index 11 priority 0 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft 0(bytes), hard 0(bytes)
>       limit: soft 0(packets), hard 0(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:44 use -
> src ::/0 dst ::/0 uid 0
>     socket out action allow index 4 priority 0 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft 0(bytes), hard 0(bytes)
>       limit: soft 0(packets), hard 0(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:44 use -
>
>
> Thanks
>
> George
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180313/177ef900/attachment-0001.html>


More information about the Users mailing list