[strongSwan] Forecast plugin config breaks client to client pings
Gmail
alanrevans at gmail.com
Fri Feb 1 17:45:14 CET 2019
Hello StongSwaners,
I've been wrestling with this problem for a couple days without any success:
Test setup:
RW#1 ------ [VPN G/W] ----- PC (on LAN) (10.6.0.3)
(10.6.0.1) |
|
RW#2 ---------|
(10.6.0.1)
Initially all nodes can ping each other.
I then enable and configure the forecast plugin using the documentation
as a guide : https://wiki.strongswan.org/projects/strongswan/wiki/Forecast
Now all nodes receive Multicasts from each other.
However the RWs can no longer ping each other. They can ping PC on LAN
but not each other.
I've tried using iptables NFLOG to figure out where the packet is
dropped but it seems to just disappear without a trace.
I can see that the incoming ESP packet get decrypted to a ping which
then goes through MANGLE PREROUTING and NAT PREROUTING and then
disappears it doesn't hit MANGLE FORWARD
Any thoughts would be greatfully received.
Thanks in Advance
Alan
[root at 1d-sgw etc]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.5.0, Linux
3.10.0-327.10.1.el7.x86_64, x86_64):
uptime: 2 hours, since Feb 01 13:48:35 2019
malloc: sbrk 1351680, mmap 0, used 423328, free 928352
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 6
loaded plugins: charon aes des sha1 sha2 md4 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp
xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown
eap-identity eap-sim eap-aka eap-mschapv2 eap-radius xauth-generic farp
forecast
Virtual IP pools (size/online/offline):
10.6.0.0/24: 254/2/0
Listening IP addresses:
10.137.113.67
Connections:
Android_StrongSwan: %any...%any IKEv2, dpddelay=30s
Android_StrongSwan: local: [xxxxxxx] uses public key authentication
Android_StrongSwan: cert: xxxxxxx
Android_StrongSwan: remote: uses EAP_MSCHAPV2 authentication with EAP
identity '%any'
Android_StrongSwan: child: 10.0.0.0/8 224.0.0.0/4 === dynamic
224.0.0.0/4 10.6.255.255/32 TUNNEL, dpdaction=clear
Security Associations (2 up, 0 connecting):
Android_StrongSwan[4]: ESTABLISHED 2 hours ago,
xxxxxxx[xxxxxxxx]...xxxxxxx[alan_Android_StrongSwan]
Android_StrongSwan[4]: IKEv2 SPIs: e86a19200e9b0792_i
5d260560b4c74201_r*, public key reauthentication in 21 hours
Android_StrongSwan[4]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Android_StrongSwan{8}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs:
ce322aac_i dcd48d20_o
Android_StrongSwan{8}: AES_CBC_128/HMAC_SHA1_96, 199 bytes_i (3 pkts,
38s ago), 2574 bytes_o (28 pkts, 36s ago), rekeying in 47 hours
Android_StrongSwan{8}: 10.0.0.0/8 224.0.0.0/4 === 10.6.0.2/32
10.6.255.255/32 224.0.0.0/4
Android_StrongSwan[3]: ESTABLISHED 2 hours ago,
xxxxxxx[xxxxxx]...xxxxxxx[htc_Android_StrongSwan]
Android_StrongSwan[3]: IKEv2 SPIs: 20cf1bf797beb866_i
757fbb68067afa96_r*, public key reauthentication in 21 hours
Android_StrongSwan[3]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Android_StrongSwan{7}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
c3d0ca86_i a4b6ecef_o
Android_StrongSwan{7}: AES_CBC_128/HMAC_SHA1_96, 274 bytes_i (4 pkts,
82s ago), 3479 bytes_o (40 pkts, 36s ago), rekeying in 47 hours
Android_StrongSwan{7}: 10.0.0.0/8 224.0.0.0/4 === 10.6.0.1/32
10.6.255.255/32 224.0.0.0/4
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
charondebug = "ike 3, cfg 3, knl 1,net 3"
uniqueids = yes
conn %default
ikelifetime=1d
keylife=2d
rekeymargin=5m
keyingtries=1
keyexchange=ikev2
forceencaps=yes
dpdaction=clear
dpddelay=30
dpdtimeout=180
ike=aes128-sha256-modp1536,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aesxcbc-modp1024,aes128-md5-modp1024,aes256-sha256-modp2048!
esp=aes128-sha256-modp1536,aes128-sha1-modp1024,aes128-sha1,3des-sha1-modp1024,aes128-aesxcbc-modp1024,aes128-md5-modp1024,aes256-sha256-modp2048!
auto=add
conn Android_StrongSwan
left=%defaultroute
leftcert=xxxxxxx
leftauth=pubkey
leftid=@xxxxxxx
leftfirewall=yes
right=%any
rightauth=eap-mschapv2
rightsubnet=%dynamic,224.0.0.0/4,10.6.255.255
leftsubnet=10.0.0.0/8,224.0.0.0/4
rightsourceip=10.6.0.0/24
mark=%unique
eap_identity=%any
auto=add
[root at 1d-sgw etc]# ip -s xfrm policy
src 224.0.0.0/4 dst 224.0.0.0/4 uid 0
dir fwd action allow index 8274 priority 197952 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use -
mark 2/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 224.0.0.0/4 dst 224.0.0.0/4 uid 0
dir in action allow index 8264 priority 197952 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use -
mark 2/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 224.0.0.0/4 dst 224.0.0.0/4 uid 0
dir out action allow index 8257 priority 197952 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use -
mark 2/0xffffffff
tmpl src 159.8.210.250 dst 86.171.168.37
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 224.0.0.0/4 dst 10.6.255.255/32 uid 0
dir fwd action allow index 8250 priority 290784 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use -
mark 2/0xffffffff
src 10.6.255.255/32 dst 224.0.0.0/4 uid 0
dir fwd action allow index 8242 priority 190784 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use -
mark 2/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.6.255.255/32 dst 224.0.0.0/4 uid 0
dir in action allow index 8232 priority 190784 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use -
mark 2/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 224.0.0.0/4 dst 10.6.255.255/32 uid 0
dir out action allow index 8225 priority 190784 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use -
mark 2/0xffffffff
tmpl src 159.8.210.250 dst 86.171.168.37
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 224.0.0.0/4 dst 10.6.0.2/32 uid 0
dir fwd action allow index 8218 priority 290784 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use -
mark 2/0xffffffff
src 10.6.0.2/32 dst 224.0.0.0/4 uid 0
dir fwd action allow index 8210 priority 190784 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use -
mark 2/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.6.0.2/32 dst 224.0.0.0/4 uid 0
dir in action allow index 8200 priority 190784 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use 2019-02-01 16:19:29
mark 2/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 224.0.0.0/4 dst 10.6.0.2/32 uid 0
dir out action allow index 8193 priority 190784 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use -
mark 2/0xffffffff
tmpl src 159.8.210.250 dst 86.171.168.37
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.0.0.0/8 dst 224.0.0.0/4 uid 0
dir fwd action allow index 8186 priority 296928 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use -
mark 2/0xffffffff
src 224.0.0.0/4 dst 10.0.0.0/8 uid 0
dir fwd action allow index 8178 priority 196928 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use -
mark 2/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 224.0.0.0/4 dst 10.0.0.0/8 uid 0
dir in action allow index 8168 priority 196928 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use -
mark 2/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.0.0.0/8 dst 224.0.0.0/4 uid 0
dir out action allow index 8161 priority 196928 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use 2019-02-01 16:22:06
mark 2/0xffffffff
tmpl src 159.8.210.250 dst 86.171.168.37
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.0.0.0/8 dst 10.6.255.255/32 uid 0
dir fwd action allow index 8154 priority 289760 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use -
mark 2/0xffffffff
src 10.6.255.255/32 dst 10.0.0.0/8 uid 0
dir fwd action allow index 8146 priority 189760 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use -
mark 2/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.6.255.255/32 dst 10.0.0.0/8 uid 0
dir in action allow index 8136 priority 189760 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use -
mark 2/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.0.0.0/8 dst 10.6.255.255/32 uid 0
dir out action allow index 8129 priority 189760 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use -
mark 2/0xffffffff
tmpl src 159.8.210.250 dst 86.171.168.37
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.0.0.0/8 dst 10.6.0.2/32 uid 0
dir fwd action allow index 8290 priority 289760 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use 2019-02-01 16:15:04
mark 2/0xffffffff
src 10.6.0.2/32 dst 10.0.0.0/8 uid 0
dir fwd action allow index 8114 priority 189760 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use 2019-02-01 16:15:04
mark 2/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.6.0.2/32 dst 10.0.0.0/8 uid 0
dir in action allow index 8104 priority 189760 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use -
mark 2/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.0.0.0/8 dst 10.6.0.2/32 uid 0
dir out action allow index 8097 priority 189760 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:08:57 use 2019-02-01 16:15:04
mark 2/0xffffffff
tmpl src 159.8.210.250 dst 86.171.168.37
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 224.0.0.0/4 dst 224.0.0.0/4 uid 0
dir fwd action allow index 8090 priority 197952 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use -
mark 1/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 224.0.0.0/4 dst 224.0.0.0/4 uid 0
dir in action allow index 8080 priority 197952 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use -
mark 1/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 224.0.0.0/4 dst 224.0.0.0/4 uid 0
dir out action allow index 8073 priority 197952 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use -
mark 1/0xffffffff
tmpl src 159.8.210.250 dst 86.171.168.37
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 224.0.0.0/4 dst 10.6.255.255/32 uid 0
dir fwd action allow index 8066 priority 290784 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use -
mark 1/0xffffffff
src 10.6.255.255/32 dst 224.0.0.0/4 uid 0
dir fwd action allow index 8058 priority 190784 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use -
mark 1/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.6.255.255/32 dst 224.0.0.0/4 uid 0
dir in action allow index 8048 priority 190784 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use -
mark 1/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 224.0.0.0/4 dst 10.6.255.255/32 uid 0
dir out action allow index 8041 priority 190784 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use -
mark 1/0xffffffff
tmpl src 159.8.210.250 dst 86.171.168.37
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 224.0.0.0/4 dst 10.6.0.1/32 uid 0
dir fwd action allow index 8034 priority 290784 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use -
mark 1/0xffffffff
src 10.6.0.1/32 dst 224.0.0.0/4 uid 0
dir fwd action allow index 8026 priority 190784 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use -
mark 1/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.6.0.1/32 dst 224.0.0.0/4 uid 0
dir in action allow index 8016 priority 190784 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use -
mark 1/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 224.0.0.0/4 dst 10.6.0.1/32 uid 0
dir out action allow index 8009 priority 190784 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use -
mark 1/0xffffffff
tmpl src 159.8.210.250 dst 86.171.168.37
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.0.0.0/8 dst 224.0.0.0/4 uid 0
dir fwd action allow index 8002 priority 296928 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use -
mark 1/0xffffffff
src 224.0.0.0/4 dst 10.0.0.0/8 uid 0
dir fwd action allow index 7994 priority 196928 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use -
mark 1/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 224.0.0.0/4 dst 10.0.0.0/8 uid 0
dir in action allow index 7984 priority 196928 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use -
mark 1/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.0.0.0/8 dst 224.0.0.0/4 uid 0
dir out action allow index 7977 priority 196928 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use 2019-02-01 16:22:06
mark 1/0xffffffff
tmpl src 159.8.210.250 dst 86.171.168.37
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.0.0.0/8 dst 10.6.255.255/32 uid 0
dir fwd action allow index 7970 priority 289760 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use -
mark 1/0xffffffff
src 10.6.255.255/32 dst 10.0.0.0/8 uid 0
dir fwd action allow index 7962 priority 189760 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use -
mark 1/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.6.255.255/32 dst 10.0.0.0/8 uid 0
dir in action allow index 7952 priority 189760 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use -
mark 1/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.0.0.0/8 dst 10.6.255.255/32 uid 0
dir out action allow index 7945 priority 189760 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use -
mark 1/0xffffffff
tmpl src 159.8.210.250 dst 86.171.168.37
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.0.0.0/8 dst 10.6.0.1/32 uid 0
dir fwd action allow index 7938 priority 289760 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use 2019-02-01 16:14:20
mark 1/0xffffffff
src 10.6.0.1/32 dst 10.0.0.0/8 uid 0
dir fwd action allow index 7930 priority 189760 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use 2019-02-01 16:14:20
mark 1/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.6.0.1/32 dst 10.0.0.0/8 uid 0
dir in action allow index 7920 priority 189760 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use -
mark 1/0xffffffff
tmpl src 86.171.168.37 dst 159.8.210.250
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.0.0.0/8 dst 10.6.0.1/32 uid 0
dir out action allow index 7913 priority 189760 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-02-01 16:06:31 use 2019-02-01 16:14:20
mark 1/0xffffffff
tmpl src 159.8.210.250 dst 86.171.168.37
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
[root at 1d-sgw etc]# iptables -t mangle -L -v -n -Z
Chain PREROUTING (policy ACCEPT 219 packets, 12945 bytes)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0
10.6.255.255 MARK set 0x2
1 227 MARK all -- * * 0.0.0.0/0
10.6.0.2 MARK set 0x2
3 368 MARK udp -- * * 86.171.168.37
159.8.210.250 udp spt:44801 dpt:4500 MARK set 0x2
0 0 MARK all -- * * 0.0.0.0/0
10.6.255.255 MARK set 0x1
0 0 MARK all -- * * 0.0.0.0/0
10.6.0.1 MARK set 0x1
3 336 MARK udp -- * * 86.171.168.37
159.8.210.250 udp spt:47585 dpt:4500 MARK set 0x1
1 65 NFLOG all -- * * 10.6.0.0/16
0.0.0.0/0 nflog-group 5
0 0 MARK all -- * * 10.6.0.1
10.6.0.2 MARK set 0x2
Chain INPUT (policy ACCEPT 209 packets, 12013 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 2 packets, 292 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 240 packets, 19594 bytes)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0
10.6.255.255 MARK set 0x2
0 0 MARK all -- * * 0.0.0.0/0
10.6.0.2 MARK set 0x2
0 0 MARK all -- * * 0.0.0.0/0
10.6.255.255 MARK set 0x1
0 0 MARK all -- * * 0.0.0.0/0
10.6.0.1 MARK set 0x1
Chain POSTROUTING (policy ACCEPT 242 packets, 19886 bytes)
pkts bytes target prot opt in out source destination
[root at 1d-sgw etc]# iptables -L -v -n -Z
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth1 * 224.0.0.0/4
224.0.0.0/4 policy match dir in pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- * eth1 224.0.0.0/4
224.0.0.0/4 policy match dir out pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- eth1 * 10.6.255.255
224.0.0.0/4 policy match dir in pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- * eth1 224.0.0.0/4
10.6.255.255 policy match dir out pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- eth1 * 10.6.0.2
224.0.0.0/4 policy match dir in pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- * eth1 224.0.0.0/4
10.6.0.2 policy match dir out pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- eth1 * 224.0.0.0/4
10.0.0.0/8 policy match dir in pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- * eth1 10.0.0.0/8
224.0.0.0/4 policy match dir out pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- eth1 * 10.6.255.255
10.0.0.0/8 policy match dir in pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- * eth1 10.0.0.0/8
10.6.255.255 policy match dir out pol ipsec reqid 2 proto 50
5 333 ACCEPT all -- eth1 * 10.6.0.2
10.0.0.0/8 policy match dir in pol ipsec reqid 2 proto 50
5 495 ACCEPT all -- * eth1 10.0.0.0/8
10.6.0.2 policy match dir out pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- eth1 * 224.0.0.0/4
224.0.0.0/4 policy match dir in pol ipsec reqid 1 proto 50
0 0 ACCEPT all -- * eth1 224.0.0.0/4
224.0.0.0/4 policy match dir out pol ipsec reqid 1 proto 50
0 0 ACCEPT all -- eth1 * 10.6.255.255
224.0.0.0/4 policy match dir in pol ipsec reqid 1 proto 50
0 0 ACCEPT all -- * eth1 224.0.0.0/4
10.6.255.255 policy match dir out pol ipsec reqid 1 proto 50
0 0 ACCEPT all -- eth1 * 10.6.0.1
224.0.0.0/4 policy match dir in pol ipsec reqid 1 proto 50
0 0 ACCEPT all -- * eth1 224.0.0.0/4
10.6.0.1 policy match dir out pol ipsec reqid 1 proto 50
0 0 ACCEPT all -- eth1 * 224.0.0.0/4
10.0.0.0/8 policy match dir in pol ipsec reqid 1 proto 50
0 0 ACCEPT all -- * eth1 10.0.0.0/8
224.0.0.0/4 policy match dir out pol ipsec reqid 1 proto 50
0 0 ACCEPT all -- eth1 * 10.6.255.255
10.0.0.0/8 policy match dir in pol ipsec reqid 1 proto 50
0 0 ACCEPT all -- * eth1 10.0.0.0/8
10.6.255.255 policy match dir out pol ipsec reqid 1 proto 50
1 84 ACCEPT all -- eth1 * 10.6.0.1
10.0.0.0/8 policy match dir in pol ipsec reqid 1 proto 50
1 84 ACCEPT all -- * eth1 10.0.0.0/8
10.6.0.1 policy match dir out pol ipsec reqid 1 proto 50
0 0 ACCEPT all -- eth1 * 10.0.101.0/24 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 10.0.102.0/24 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 10.0.103.0/24 0.0.0.0/0
0 0 LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
More information about the Users
mailing list