[strongSwan] One to Many VPN (Host-Host)
Info
infosec at quantum-equities.com
Mon Mar 19 01:08:40 CET 2018
On the phone in the Android app:
Server: quantum-equities.com
VPN Type: IKE2 certificate
User certificate: mars2
User ID: default (CN=mars.darkmatter.org,O=Quantum,C=US)
CA Cert: Select automatically
Profile name: cygnus
Advanced|Server ID: quantum-equities.com
Block IPV6 traffic not destined for the VPN.
The CA cert is in CA Certs under Imported.
The phone's key and cert are in the VPN definition, and current IP is
192.0.0.4 -- Idk why it's showing connecting from 172.56.42.34, that
must be TMobile jazz. It also has an IPV6 IP but I have IPV6 turned off
in the LAN with sysctl.
In the IPSec gateway I don't have anything in the Shorewall firewall set
for device ipsec0; I've read that the kernel is definitely no longer
supposed to generate that... but I always have it when the daemon is
running. Doesn't make sense.
On 03/18/2018 04:52 PM, Info wrote:
> This post is formatted as per here
> <https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests>.
>
> I'm using the bare minimum swanctl.conf and I've regenerated all my
> keys and certs again. For the IPSec gateway, which is a virtual
> machine in the LAN DNATted to by the LAN gateway, I've made its cert
> with --san quantum-equities.com,cygnus.darkmatter.org, because the LAN
> gateway is known outside as quantum-equities.com and the IPSec gateway
> is known in the LAN as cygnus.darkmatter.org. My assumption is it has
> to be resolvable in both worlds.
>
> I also tried to set --dn "C=US, O=Quantum,
> CN=quantum-equities.com,cygnus.darkmatter.org" -- but strongswan pki
> wasn't having it so I had to settle for just quantum-equities.com.
>
> For the phone's key and cert, when it is the initiator, I know of no
> way it can prove it is mars.darkmatter.org, other than what the cert
> says. It could be at any IP so I don't see how it can prove its
> identity? The IPSec gateway resolves to quantum-equities.com so it
> can prove its identity.
>
> Also I would like to set the phone and other remotes to 'initiate
> only' but there doesn't seem to be a way in the Android app. And for
> other remote machines there no longer seems to be that option.
>
> Log levels are as per instructions and charon.log is attached.
>
> strongswan.conf
> charon {
> load_modular = yes
> plugins {
> include strongswan.d/charon/*.conf
> }
> }
>
> include strongswan.d/*.conf
>
>
> swanctl.conf
> ikev2-pubkey {
> version = 2
> rekey_time = 0s
> local {
> cert = cygnus-Cert.pem
> id = cygnus.darkmatter.org
> }
> remote {
> # defaults are fine.
> }
> children {
> ikev2-pubkey {
> local_ts = 192.168.1.0/24
> mode = transport
> }
> }
> }
>
>
> charon.conf
> charon {
>
> # two defined file loggers
> filelog {
> /var/log/charon.log {
> time_format = %a, %Y-%m-%d %R
> ike_name = yes
> append = no
> default = 2
> flush_line = yes
> }
> stderr {
> mgr = 0
> net = 1
> enc = 1
> asn = 1
> job = 1
> knl = 1
> }
> }
>
>
> # swanctl -L
> # swanctl -l
> (no response, for some reason)
>
> # systemctl status strongswan-swanctl
> ● strongswan-swanctl.service - strongSwan IPsec IKEv1/IKEv2 daemon
> using swanctl
> Loaded: loaded (/usr/lib/systemd/system/strongswan-swanctl.service;
> enabled; vendor preset: disabled)
> Active: active (running) since Sun 2018-03-18 12:14:37 PDT; 3h
> 58min ago
> Process: 59439 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt
> (code=exited, status=0/SUCCESS)
> Main PID: 59419 (charon-systemd)
> Status: "charon-systemd running, strongSwan 5.5.3, Linux
> 4.13.0-1.el7.elrepo.x86_64, x86_64"
> CGroup: /system.slice/strongswan-swanctl.service
> └─59419 /usr/sbin/charon-systemd
>
> Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: received
> packet: from 172.56.42.34[45687] to 192.168.1.16[500] (704 bytes)
> Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: 10[NET]
> received packet: from 172.56.42.34[45687] to 192.168.1.16[500] (704 bytes)
> Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: parsed
> IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
> N(HASH_ALG) N(REDIR_SUP) ]
> Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: 10[ENC]
> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: 10[IKE]
> no IKE config found for 192.168.1.16...172.56.42.34, sending
> NO_PROPOSAL_CHOSEN
> Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: 10[ENC]
> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
> Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: 10[NET]
> sending packet: from 192.168.111.16[500] to 172.56.42.34[45687] (36 bytes)
> Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: no IKE
> config found for 192.168.111.16...172.56.42.34, sending NO_PROPOSAL_CHOSEN
> Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]:
> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
> Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: sending
> packet: from 192.168.1.16[500] to 172.56.42.34[45687] (36 bytes)
>
>
>
> # iptables-save
> # Generated by iptables-save v1.4.21 on Sun Mar 18 16:16:59 2018
> *mangle
> :PREROUTING ACCEPT [67734:7451963]
> :INPUT ACCEPT [67734:7451963]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [53017:5165171]
> :POSTROUTING ACCEPT [53017:5165171]
> :tcfor - [0:0]
> :tcin - [0:0]
> :tcout - [0:0]
> :tcpost - [0:0]
> :tcpre - [0:0]
> -A PREROUTING -j tcpre
> -A INPUT -j tcin
> -A FORWARD -j MARK --set-xmark 0x0/0xff
> -A FORWARD -j tcfor
> -A OUTPUT -j tcout
> -A POSTROUTING -j tcpost
> COMMIT
> # Completed on Sun Mar 18 16:16:59 2018
> # Generated by iptables-save v1.4.21 on Sun Mar 18 16:16:59 2018
> *nat
> :PREROUTING ACCEPT [8165:1316953]
> :INPUT ACCEPT [32:14356]
> :OUTPUT ACCEPT [9748:486535]
> :POSTROUTING ACCEPT [4:178]
> :eth0_masq - [0:0]
> -A POSTROUTING -o eth0 -j eth0_masq
> -A eth0_masq -s 192.168.111.0/24 -m policy --dir out --pol none -j
> MASQUERADE
> COMMIT
> # Completed on Sun Mar 18 16:16:59 2018
> # Generated by iptables-save v1.4.21 on Sun Mar 18 16:16:59 2018
> *raw
> :PREROUTING ACCEPT [67734:7451963]
> :OUTPUT ACCEPT [53017:5165171]
> -A PREROUTING -p udp -m udp --dport 10080 -j CT --helper amanda
> -A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
> -A PREROUTING -p udp -m udp --dport 1719 -j CT --helper RAS
> -A PREROUTING -p tcp -m tcp --dport 1720 -j CT --helper Q.931
> -A PREROUTING -p tcp -m tcp --dport 6667 -j CT --helper irc
> -A PREROUTING -p udp -m udp --dport 137 -j CT --helper netbios-ns
> -A PREROUTING -p tcp -m tcp --dport 1723 -j CT --helper pptp
> -A PREROUTING -p tcp -m tcp --dport 6566 -j CT --helper sane
> -A PREROUTING -p udp -m udp --dport 5060 -j CT --helper sip
> -A PREROUTING -p udp -m udp --dport 161 -j CT --helper snmp
> -A PREROUTING -p udp -m udp --dport 69 -j CT --helper tftp
> -A OUTPUT -p udp -m udp --dport 10080 -j CT --helper amanda
> -A OUTPUT -p tcp -m tcp --dport 21 -j CT --helper ftp
> -A OUTPUT -p udp -m udp --dport 1719 -j CT --helper RAS
> -A OUTPUT -p tcp -m tcp --dport 1720 -j CT --helper Q.931
> -A OUTPUT -p tcp -m tcp --dport 6667 -j CT --helper irc
> -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
> -A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
> -A OUTPUT -p tcp -m tcp --dport 6566 -j CT --helper sane
> -A OUTPUT -p udp -m udp --dport 5060 -j CT --helper sip
> -A OUTPUT -p udp -m udp --dport 161 -j CT --helper snmp
> -A OUTPUT -p udp -m udp --dport 69 -j CT --helper tftp
> COMMIT
> # Completed on Sun Mar 18 16:16:59 2018
> # Generated by iptables-save v1.4.21 on Sun Mar 18 16:16:59 2018
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> :Drop - [0:0]
> :Reject - [0:0]
> :^fw-net - [0:0]
> :^net-fw - [0:0]
> :dynamic - [0:0]
> :eth0_fwd - [0:0]
> :eth0_in - [0:0]
> :eth0_out - [0:0]
> :fw-net - [0:0]
> :fw-vpn - [0:0]
> :logdrop - [0:0]
> :logflags - [0:0]
> :logreject - [0:0]
> :net-fw - [0:0]
> :net-vpn - [0:0]
> :net_frwd - [0:0]
> :reject - [0:0]
> :sha-lh-0000b76ab76dee8fd100 - [0:0]
> :sha-rh-c015b4228a3ba078c43d - [0:0]
> :shorewall - [0:0]
> :tcpflags - [0:0]
> :vpn-fw - [0:0]
> :vpn-net - [0:0]
> :vpn_frwd - [0:0]
> :~log0 - [0:0]
> -A INPUT -i eth0 -j eth0_in
> -A INPUT -i lo -j ACCEPT
> -A INPUT -j Reject
> -A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
> --log-uid
> -A INPUT -g reject
> -A FORWARD -i eth0 -j eth0_fwd
> -A FORWARD -j Reject
> -A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level
> 6 --log-uid
> -A FORWARD -g reject
> -A OUTPUT -o eth0 -j eth0_out
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -j Reject
> -A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6
> --log-uid
> -A OUTPUT -g reject
> -A Drop
> -A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed
> ICMP types" -j ACCEPT
> -A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed
> ICMP types" -j ACCEPT
> -A Drop -m addrtype --dst-type BROADCAST -j DROP
> -A Drop -m addrtype --dst-type ANYCAST -j DROP
> -A Drop -m addrtype --dst-type MULTICAST -j DROP
> -A Drop -m conntrack --ctstate INVALID -j DROP
> -A Drop -p udp -m multiport --dports 135,445 -m comment --comment SMB
> -j DROP
> -A Drop -p udp -m udp --dport 137:139 -m comment --comment SMB -j DROP
> -A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment
> --comment SMB -j DROP
> -A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment
> SMB -j DROP
> -A Drop -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
> -A Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
> -A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS
> Replies" -j DROP
> -A Reject
> -A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed
> ICMP types" -j ACCEPT
> -A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed
> ICMP types" -j ACCEPT
> -A Reject -m addrtype --dst-type BROADCAST -j DROP
> -A Reject -m addrtype --dst-type ANYCAST -j DROP
> -A Reject -m addrtype --dst-type MULTICAST -j DROP
> -A Reject -m conntrack --ctstate INVALID -j DROP
> -A Reject -p udp -m multiport --dports 135,445 -m comment --comment
> SMB -g reject
> -A Reject -p udp -m udp --dport 137:139 -m comment --comment SMB -g reject
> -A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment
> --comment SMB -g reject
> -A Reject -p tcp -m multiport --dports 135,139,445 -m comment
> --comment SMB -g reject
> -A Reject -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
> -A Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
> -A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS
> Replies" -j DROP
> -A ^fw-net -p tcp -m multiport --dports 25,110,843,8080 -m conntrack
> --ctstate ESTABLISHED -j DROP
> -A ^fw-net -j ACCEPT
> -A ^net-fw -p tcp -m multiport --sports 25,110,843,8080 -m conntrack
> --ctstate ESTABLISHED -j DROP
> -A ^net-fw -j ACCEPT
> -A eth0_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
> -A eth0_fwd -p tcp -m policy --dir in --pol none -j tcpflags
> -A eth0_fwd -m policy --dir in --pol ipsec --mode transport -g vpn_frwd
> -A eth0_fwd -m policy --dir in --pol none -j net_frwd
> -A eth0_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
> -A eth0_in -p udp -m udp --dport 67:68 -j ACCEPT
> -A eth0_in -p tcp -m policy --dir in --pol none -j tcpflags
> -A eth0_in -m policy --dir in --pol none -j net-fw
> -A eth0_in -m policy --dir in --pol ipsec --mode transport -j vpn-fw
> -A eth0_out -p udp -m udp --dport 67:68 -j ACCEPT
> -A eth0_out -m policy --dir out --pol none -j fw-net
> -A eth0_out -m policy --dir out --pol ipsec --mode transport -j fw-vpn
> -A fw-net -m conntrack --ctstate ESTABLISHED -j ^fw-net
> -A fw-net -m conntrack --ctstate RELATED -j ACCEPT
> -A fw-net -d 192.168.1.16/32 -p esp -j ACCEPT
> -A fw-net -d 192.168.1.16/32 -p udp -m udp --dport 500 -m conntrack
> --ctstate NEW,UNTRACKED -j ACCEPT
> -A fw-net -p tcp -m multiport --dports 25,110,843,8080 -g ~log0
> -A fw-net -p tcp -m multiport --dports 21,990,9418,11371,80,443 -j ACCEPT
> -A fw-net -d 192.168.1.10/32 -p udp -m multiport --dports 53,123 -j ACCEPT
> -A fw-net -d 192.168.1.41/32 -p tcp -m tcp --dport 3480 -j ACCEPT
> -A fw-net -p tcp -m multiport --dports 2222,22 -j ACCEPT
> -A fw-net -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A fw-net -j Reject
> -A fw-net -j LOG --log-prefix "Shorewall:fw-net:REJECT:" --log-level 6
> --log-uid
> -A fw-net -g reject
> -A fw-vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A fw-vpn -d 192.168.1.16/32 -p udp -m udp --dport 500 -m conntrack
> --ctstate NEW,UNTRACKED -j ACCEPT
> -A fw-vpn -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A fw-vpn -j Reject
> -A fw-vpn -j LOG --log-prefix "Shorewall:fw-vpn:REJECT:" --log-level 6
> --log-uid
> -A fw-vpn -g reject
> -A logdrop -j DROP
> -A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level
> 6 --log-ip-options
> -A logflags -j DROP
> -A logreject -j reject
> -A net-fw -m conntrack --ctstate ESTABLISHED -j ^net-fw
> -A net-fw -m conntrack --ctstate RELATED -j ACCEPT
> -A net-fw -s 192.168.1.16/32 -p esp -j ACCEPT
> -A net-fw -s 192.168.1.16/32 -p udp -m udp --dport 500 -m conntrack
> --ctstate NEW,UNTRACKED -j ACCEPT
> -A net-fw -p tcp -m conntrack --ctstate INVALID -j DROP
> -A net-fw -p udp -m conntrack --ctstate INVALID -j DROP
> -A net-fw -p udp -m multiport --dports 500,4500 -j ACCEPT
> -A net-fw -s 192.168.1.2/32 -p tcp -m tcp --dport 8123 -j ACCEPT
> -A net-fw -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
> -A net-fw -p udp -m multiport --dports 500,4500,50500,54500 -j ACCEPT
> -A net-fw -s 192.168.1.4/32 -p tcp -m tcp --dport 8734 -j ACCEPT
> -A net-fw -s 192.168.1.4/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A net-fw -j Drop
> -A net-fw -j LOG --log-prefix "Shorewall:net-fw:DROP:" --log-level 6
> --log-uid
> -A net-fw -j DROP
> -A net-vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A net-vpn -p tcp -m conntrack --ctstate INVALID -j DROP
> -A net-vpn -p udp -m conntrack --ctstate INVALID -j DROP
> -A net-vpn -j Drop
> -A net-vpn -j LOG --log-prefix "Shorewall:net-vpn:DROP:" --log-level 6
> --log-uid
> -A net-vpn -j DROP
> -A net_frwd -o eth0 -m policy --dir out --pol ipsec --mode transport
> -j net-vpn
> -A reject -m addrtype --src-type BROADCAST -j DROP
> -A reject -s 224.0.0.0/4 -j DROP
> -A reject -p igmp -j DROP
> -A reject -p tcp -j REJECT --reject-with tcp-reset
> -A reject -p udp -j REJECT --reject-with icmp-port-unreachable
> -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
> -A reject -j REJECT --reject-with icmp-host-prohibited
> -A shorewall -m recent --set --name %CURRENTTIME --mask
> 255.255.255.255 --rsource
> -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -g logflags
> -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g
> logflags
> -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
> -A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g logflags
> -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
> -A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g logflags
> -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g
> logflags
> -A vpn-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A vpn-fw -s 192.168.1.16/32 -p udp -m udp --dport 500 -m conntrack
> --ctstate NEW,UNTRACKED -j ACCEPT
> -A vpn-fw -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A vpn-fw -j Drop
> -A vpn-fw -j LOG --log-prefix "Shorewall:vpn-fw:DROP:" --log-level 6
> --log-uid
> -A vpn-fw -j DROP
> -A vpn-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A vpn-net -j Drop
> -A vpn-net -j LOG --log-prefix "Shorewall:vpn-net:DROP:" --log-level 6
> --log-uid
> -A vpn-net -j DROP
> -A vpn_frwd -o eth0 -m policy --dir out --pol none -j vpn-net
> -A ~log0 -j LOG --log-prefix "Shorewall:fw-net:ACCEPT:" --log-level 6
> --log-uid
> -A ~log0 -j ACCEPT
> COMMIT
> # Completed on Sun Mar 18 16:16:59 2018
>
>
> # ip route show table all
> default via 192.168.1.1 dev eth0
> 169.254.0.0/16 dev eth0 scope link metric 1002
> 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.16
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src
> 127.0.0.1
> local 127.0.0.0/8 dev lo table local proto kernel scope host src
> 127.0.0.1
> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
> broadcast 127.255.255.255 dev lo table local proto kernel scope link
> src 127.0.0.1
> broadcast 192.168.1.0 dev eth0 table local proto kernel scope link src
> 192.168.1.16
> local 192.168.1.16 dev eth0 table local proto kernel scope host src
> 192.168.1.16
> broadcast 192.168.1.255 dev eth0 table local proto kernel scope link
> src 192.168.1.16
> unreachable ::/96 dev lo metric 1024 error -113
> unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113
> unreachable 2002:a00::/24 dev lo metric 1024 error -113
> unreachable 2002:7f00::/24 dev lo metric 1024 error -113
> unreachable 2002:a9fe::/32 dev lo metric 1024 error -113
> unreachable 2002:ac10::/28 dev lo metric 1024 error -113
> unreachable 2002:c0a8::/32 dev lo metric 1024 error -113
> unreachable 2002:e000::/19 dev lo metric 1024 error -113
> unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113
> fe80::/64 dev eth0 proto kernel metric 256
> fe80::/64 dev ipsec0 proto kernel metric 256
> local ::1 dev lo table local proto kernel metric 0
> local fe80::22e9:6b12:6b8e:b558 dev lo table local proto kernel metric 0
> local fe80::5054:ff:fec0:9330 dev lo table local proto kernel metric 0
> ff00::/8 dev eth0 table local metric 256
> ff00::/8 dev ipsec0 table local metric 256
>
>
> # ip address
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> valid_lft forever preferred_lft forever
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
> link/ether 52:54:00:c0:23:30 brd ff:ff:ff:ff:ff:ff
> inet 192.168.1.16/24 brd 192.168.1.255 scope global eth0
> valid_lft forever preferred_lft forever
> inet6 fe80::5054:ff:fec0:9330/64 scope link
> valid_lft forever preferred_lft forever
> 24: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc
> pfifo_fast state UNKNOWN qlen 500
> link/none
> inet6 fe80::22e9:6b12:6b8e:b558/64 scope link flags 800
> valid_lft forever preferred_lft forever
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180318/0a1a61af/attachment-0001.html>
More information about the Users
mailing list