[strongSwan] How to get StrongSwan work with IPv6?
Houman
houmie at gmail.com
Sun Nov 21 13:58:34 CET 2021
Hello Noel,
Good call. I have tried it with *tcpdump icmp6*
12:51:32.014856 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
55160, length 114
12:51:32.014980 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
52502, length 111
12:51:33.015768 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
55160, length 114
12:51:33.015853 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
52502, length 111
12:51:37.230741 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
59089, length 141
12:51:37.230773 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
49622, length 153
12:51:37.230832 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
52451, length 179
12:51:37.231091 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
63183, length 141
12:51:37.231276 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
60488, length 153
12:51:37.244840 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
63401, length 179
12:51:41.217794 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
62192, length 117
12:51:41.399465 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
63183, length 141
12:51:41.399497 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
49622, length 153
12:51:41.399515 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
57891, length 179
12:51:41.399526 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
59089, length 141
12:51:41.399536 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
52451, length 179
12:51:41.399555 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
60488, length 153
12:51:42.267324 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
62192, length 117
12:51:48.624243 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
57891, length 179
12:51:48.624270 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
60718, length 153
This is strange because the firewall should be ok:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [4571:533993]
:OUTPUT ACCEPT [3620:1295287]
:OUTGOING - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p esp -m esp -j ACCEPT
-A INPUT -m ah -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -j OUTGOING
-A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
-A OUTGOING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTGOING -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5
--hashlimit-mode srcip,dstip --hashlimit-name NETSCANv6 --hashlimit-dstmask
64 -j ACCEPT
COMMIT
IPv6 doesn't need NAT. So what is here unreachable?
Thanks,
Houman
On Sun, 14 Nov 2021 at 23:26, Noel Kuntze
<noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
> Hello Houman,
>
> Looks like it's time for tcpdump, wireshark, ... .
> Collect traffic dumps as shown on the wiki[1] to figure out what replies
> the peer gets and what is forwarded.
>
> Also, verify your testing method and client configuration, specifically
> iptables/ip6tables if it's Linux.
>
> Kind regards
> Noel
>
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/CorrectTrafficDump
>
> Am 12.11.21 um 08:26 schrieb Houman:
> > Good morning,
> >
> > I have disabled forseencaps and enabled IPv6. I can establish a VPN
> connection via IPv6. But no traffic goes through. IPv4 connection is
> working.
> > I'm sharing my config below. I would really appreciate it if
> somebody could help me with that.
> >
> > */etc/sysctl.conf*
> > net.ipv4.ip_forward = 1
> > net.ipv4.ip_no_pmtu_disc = 1
> > net.ipv4.conf.all.rp_filter = 1
> > net.ipv4.conf.all.accept_redirects = 0
> > net.ipv4.conf.all.send_redirects = 0
> > net.ipv6.conf.all.forwarding = 1
> >
> > */etc/strongswan.d/charon/socket-default.conf*
> > socket-default {
> > load = yes
> > use_ipv4 = yes
> > use_ipv6 = yes
> > }
> >
> > *charon.log*
> >
> > Fri, 2021-11-12, 07:05:02 09[NET] <3> received packet: from
> 2a01:4b00:867c:6d00:461:484e:456f:317a[500] to
> 2a01:4f8:c17:1f2d:cafe::123[500] (232 bytes)
> >
> > Fri, 2021-11-12, 07:05:02 09[ENC] <3> parsed IKE_SA_INIT request 0 [ SA
> KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> >
> > Fri, 2021-11-12, 07:05:02 09[CFG] <3> looking for an IKEv2 config for
> 2a01:4f8:c17:1f2d:cafe::123...2a01:4b00:867c:6d00:461:484e:456f:317a
> >
> > Fri, 2021-11-12, 07:05:02 09[CFG] <3> candidate: %any...%any, prio 28
> >
> > Fri, 2021-11-12, 07:05:02 09[CFG] <3> found matching ike config:
> %any...%any with prio 28
> >
> > Fri, 2021-11-12, 07:05:02 09[IKE] <3> local endpoint changed from
> 0.0.0.0[500] to 2a01:4f8:c17:1f2d:cafe::123[500]
> >
> > Fri, 2021-11-12, 07:05:02 09[IKE] <3> remote endpoint changed from
> 0.0.0.0 to 2a01:4b00:867c:6d00:461:484e:456f:317a[500]
> >
> > Fri, 2021-11-12, 07:05:02 09[IKE] <3>
> 2a01:4b00:867c:6d00:461:484e:456f:317a is initiating an IKE_SA
> >
> > Fri, 2021-11-12, 07:05:02 09[IKE] <3> IKE_SA (unnamed)[3] state change:
> CREATED => CONNECTING
> >
> > Fri, 2021-11-12, 07:05:02 09[CFG] <3> selecting proposal:
> >
> > Fri, 2021-11-12, 07:05:02 09[CFG] <3> proposal matches
> >
> > Fri, 2021-11-12, 07:05:02 09[CFG] <3> received proposals:
> IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
> >
> > Fri, 2021-11-12, 07:05:02 09[CFG] <3> configured proposals:
> IKE:AES_GCM_16_256/AES_GCM_16_192/AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_521/ECP_256/MODP_4096/MODP_2048,
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521/ECP_256/MODP_4096/MODP_2048
> >
> > Fri, 2021-11-12, 07:05:02 09[CFG] <3> selected proposal:
> IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
> >
> > Fri, 2021-11-12, 07:05:02 09[IKE] <3> sending cert request for "C=US,
> O=Let's Encrypt, CN=R3"
> >
> > Fri, 2021-11-12, 07:05:02 09[ENC] <3> generating IKE_SA_INIT response 0
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP)
> N(MULT_AUTH) ]
> >
> > Fri, 2021-11-12, 07:05:02 09[NET] <3> sending packet: from
> 2a01:4f8:c17:1f2d:cafe::123[500] to
> 2a01:4b00:867c:6d00:461:484e:456f:317a[500] (281 bytes)
> >
> > Fri, 2021-11-12, 07:05:02 12[NET] <3> received packet: from
> 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to
> 2a01:4f8:c17:1f2d:cafe::123[4500] (352 bytes)
> >
> > Fri, 2021-11-12, 07:05:02 12[ENC] <3> unknown attribute type
> INTERNAL_DNS_DOMAIN
> >
> > Fri, 2021-11-12, 07:05:02 12[ENC] <3> parsed IKE_AUTH request 1 [ IDi
> N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN)
> N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) N(EAP_ONLY) ]
> >
> > Fri, 2021-11-12, 07:05:02 12[IKE] <3> local endpoint changed from
> 2a01:4f8:c17:1f2d:cafe::123[500] to 2a01:4f8:c17:1f2d:cafe::123[4500]
> >
> > Fri, 2021-11-12, 07:05:02 12[IKE] <3> remote endpoint changed from
> 2a01:4b00:867c:6d00:461:484e:456f:317a[500] to
> 2a01:4b00:867c:6d00:461:484e:456f:317a[4500]
> >
> > Fri, 2021-11-12, 07:05:02 12[CFG] <3> looking for peer configs matching
> 2a01:4f8:c17:1f2d:cafe::123[de-test-1.mydomain.net <
> http://de-test-1.mydomain.net>]...2a01:4b00:867c:6d00:461:484e:456f:317a[mydomain
> VPN]
> >
> > Fri, 2021-11-12, 07:05:02 12[CFG] <3> candidate "TEST-1", match: 20/1/28
> (me/other/ike)
> >
> > Fri, 2021-11-12, 07:05:02 12[CFG] <TEST-1|3> selected peer config
> 'TEST-1'
> >
> > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> initiating EAP_IDENTITY
> method (id 0x00)
> >
> > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing
> INTERNAL_IP4_ADDRESS attribute
> >
> > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing
> INTERNAL_IP4_NETMASK attribute
> >
> > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing
> INTERNAL_IP4_DHCP attribute
> >
> > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP4_DNS
> attribute
> >
> > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing
> INTERNAL_IP6_ADDRESS attribute
> >
> > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing
> INTERNAL_IP6_DHCP attribute
> >
> > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP6_DNS
> attribute
> >
> > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing
> INTERNAL_DNS_DOMAIN attribute
> >
> > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> received
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> >
> > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> peer supports MOBIKE
> >
> > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> authentication of '
> de-test-1.mydomain.net <http://de-test-1.mydomain.net>' (myself) with RSA
> signature successful
> >
> > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> sending end entity cert "CN=
> de-test-1.mydomain.net <http://de-test-1.mydomain.net>"
> >
> > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> sending issuer cert "C=US,
> O=Let's Encrypt, CN=R3"
> >
> > Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH
> response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
> >
> > Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> splitting IKE message (3004
> bytes) into 3 fragments
> >
> > Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH
> response 1 [ EF(1/3) ]
> >
> > Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH
> response 1 [ EF(2/3) ]
> >
> > Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH
> response 1 [ EF(3/3) ]
> >
> > Fri, 2021-11-12, 07:05:02 12[NET] <TEST-1|3> sending packet: from
> 2a01:4f8:c17:1f2d:cafe::123[4500] to
> 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (1228 bytes)
> >
> > Fri, 2021-11-12, 07:05:02 12[NET] <TEST-1|3> sending packet: from
> 2a01:4f8:c17:1f2d:cafe::123[4500] to
> 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (1228 bytes)
> >
> > Fri, 2021-11-12, 07:05:02 12[NET] <TEST-1|3> sending packet: from
> 2a01:4f8:c17:1f2d:cafe::123[4500] to
> 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (674 bytes)
> >
> > Fri, 2021-11-12, 07:05:02 11[NET] <TEST-1|3> received packet: from
> 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to
> 2a01:4f8:c17:1f2d:cafe::123[4500] (104 bytes)
> >
> > Fri, 2021-11-12, 07:05:02 11[ENC] <TEST-1|3> parsed IKE_AUTH request 2 [
> EAP/RES/ID ]
> >
> > Fri, 2021-11-12, 07:05:02 11[IKE] <TEST-1|3> received EAP identity
> 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'
> >
> > Fri, 2021-11-12, 07:05:02 11[CFG] <TEST-1|3> RADIUS server 'server-a' is
> candidate: 210
> >
> > Fri, 2021-11-12, 07:05:02 11[CFG] <TEST-1|3> sending RADIUS
> Access-Request to server 'server-a'
> >
> > Fri, 2021-11-12, 07:05:02 11[CFG] <TEST-1|3> received RADIUS
> Access-Challenge from server 'server-a'
> >
> > Fri, 2021-11-12, 07:05:02 11[IKE] <TEST-1|3> initiating EAP_MD5 method
> (id 0x01)
> >
> > Fri, 2021-11-12, 07:05:02 11[ENC] <TEST-1|3> generating IKE_AUTH
> response 2 [ EAP/REQ/MD5 ]
> >
> > Fri, 2021-11-12, 07:05:02 11[NET] <TEST-1|3> sending packet: from
> 2a01:4f8:c17:1f2d:cafe::123[4500] to
> 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (83 bytes)
> >
> > Fri, 2021-11-12, 07:05:02 13[NET] <TEST-1|3> received packet: from
> 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to
> 2a01:4f8:c17:1f2d:cafe::123[4500] (72 bytes)
> >
> > Fri, 2021-11-12, 07:05:02 13[ENC] <TEST-1|3> parsed IKE_AUTH request 3 [
> EAP/RES/NAK ]
> >
> > Fri, 2021-11-12, 07:05:02 13[CFG] <TEST-1|3> sending RADIUS
> Access-Request to server 'server-a'
> >
> > Fri, 2021-11-12, 07:05:02 13[CFG] <TEST-1|3> received RADIUS
> Access-Challenge from server 'server-a'
> >
> > Fri, 2021-11-12, 07:05:02 13[ENC] <TEST-1|3> generating IKE_AUTH
> response 3 [ EAP/REQ/MSCHAPV2 ]
> >
> > Fri, 2021-11-12, 07:05:02 13[NET] <TEST-1|3> sending packet: from
> 2a01:4f8:c17:1f2d:cafe::123[4500] to
> 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (104 bytes)
> >
> > Fri, 2021-11-12, 07:05:02 14[NET] <TEST-1|3> received packet: from
> 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to
> 2a01:4f8:c17:1f2d:cafe::123[4500] (160 bytes)
> >
> > Fri, 2021-11-12, 07:05:02 14[ENC] <TEST-1|3> parsed IKE_AUTH request 4 [
> EAP/RES/MSCHAPV2 ]
> >
> > Fri, 2021-11-12, 07:05:02 14[CFG] <TEST-1|3> sending RADIUS
> Access-Request to server 'server-a'
> >
> > Fri, 2021-11-12, 07:05:02 14[CFG] <TEST-1|3> received RADIUS
> Access-Challenge from server 'server-a'
> >
> > Fri, 2021-11-12, 07:05:02 14[ENC] <TEST-1|3> generating IKE_AUTH
> response 4 [ EAP/REQ/MSCHAPV2 ]
> >
> > Fri, 2021-11-12, 07:05:02 14[NET] <TEST-1|3> sending packet: from
> 2a01:4f8:c17:1f2d:cafe::123[4500] to
> 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (112 bytes)
> >
> > Fri, 2021-11-12, 07:05:02 15[NET] <TEST-1|3> received packet: from
> 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to
> 2a01:4f8:c17:1f2d:cafe::123[4500] (72 bytes)
> >
> > Fri, 2021-11-12, 07:05:02 15[ENC] <TEST-1|3> parsed IKE_AUTH request 5 [
> EAP/RES/MSCHAPV2 ]
> >
> > Fri, 2021-11-12, 07:05:02 15[CFG] <TEST-1|3> sending RADIUS
> Access-Request to server 'server-a'
> >
> > Fri, 2021-11-12, 07:05:02 15[CFG] <TEST-1|3> received RADIUS
> Access-Accept from server 'server-a'
> >
> > Fri, 2021-11-12, 07:05:02 15[CFG] <TEST-1|3> scheduling RADIUS
> Interim-Updates every 300s
> >
> > Fri, 2021-11-12, 07:05:02 15[IKE] <TEST-1|3> RADIUS authentication of
> 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469' successful
> >
> > Fri, 2021-11-12, 07:05:02 15[IKE] <TEST-1|3> EAP method EAP_MSCHAPV2
> succeeded, MSK established
> >
> > Fri, 2021-11-12, 07:05:02 15[ENC] <TEST-1|3> generating IKE_AUTH
> response 5 [ EAP/SUCC ]
> >
> > Fri, 2021-11-12, 07:05:02 15[NET] <TEST-1|3> sending packet: from
> 2a01:4f8:c17:1f2d:cafe::123[4500] to
> 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (65 bytes)
> >
> > Fri, 2021-11-12, 07:05:02 06[NET] <TEST-1|3> received packet: from
> 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to
> 2a01:4f8:c17:1f2d:cafe::123[4500] (104 bytes)
> >
> > Fri, 2021-11-12, 07:05:02 06[ENC] <TEST-1|3> parsed IKE_AUTH request 6 [
> AUTH ]
> >
> > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> authentication of 'mydomain
> VPN' with EAP successful
> >
> > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> authentication of '
> de-test-1.mydomain.net <http://de-test-1.mydomain.net>' (myself) with EAP
> >
> > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> IKE_SA TEST-1[3]
> established between 2a01:4f8:c17:1f2d:cafe::123[de-test-1.mydomain.net <
> http://de-test-1.mydomain.net>]...2a01:4b00:867c:6d00:461:484e:456f:317a[mydomain
> VPN]
> >
> > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> IKE_SA TEST-1[3] state
> change: CONNECTING => ESTABLISHED
> >
> > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> peer requested virtual IP
> %any
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> reassigning offline lease
> to 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'
> >
> > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> assigning virtual IP
> 10.10.10.0 to peer 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'
> >
> > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> peer requested virtual IP
> %any6
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> reassigning offline lease
> to 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'
> >
> > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> assigning virtual IP
> 2a01:4f8:c17:1f2d::1 to peer 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'
> >
> > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> building INTERNAL_IP4_DNS
> attribute
> >
> > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> building INTERNAL_IP6_DNS
> attribute
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> looking for a child config
> for 0.0.0.0/0 <http://0.0.0.0/0> ::/0 === 0.0.0.0/0 <http://0.0.0.0/0>
> ::/0
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> proposing traffic selectors
> for us:
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>0.0.0.0/0 <http://0.0.0.0/0>
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>::/0
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> proposing traffic selectors
> for other:
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>10.10.10.0/32 <
> http://10.10.10.0/32>
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>2a01:4f8:c17:1f2d::1/128
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> candidate "TEST-1" with
> prio 15+3
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> found matching child config
> "TEST-1" with prio 18
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selecting proposal:
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> proposal matches
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> received proposals:
> ESP:AES_GCM_16_256/NO_EXT_SEQ
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> configured proposals:
> ESP:AES_GCM_16_256/AES_GCM_16_192/AES_GCM_16_128/ECP_521/ECP_256/MODP_4096/MODP_2048/NO_EXT_SEQ,
> ESP:AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA1_96/ECP_521/ECP_256/MODP_4096/MODP_2048/NO_EXT_SEQ,
> ESP:AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA1_96/NO_EXT_SEQ
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selected proposal:
> ESP:AES_GCM_16_256/NO_EXT_SEQ
> >
> > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> got SPI c1e8e177
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selecting traffic selectors
> for us:
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: 0.0.0.0/0 <
> http://0.0.0.0/0>, received: 0.0.0.0/0 <http://0.0.0.0/0> => match:
> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: 0.0.0.0/0 <
> http://0.0.0.0/0>, received: ::/0 => no match
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: ::/0, received:
> 0.0.0.0/0 <http://0.0.0.0/0> => no match
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: ::/0, received: ::/0
> => match: ::/0
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selecting traffic selectors
> for other:
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: 10.10.10.0/32 <
> http://10.10.10.0/32>, received: 0.0.0.0/0 <http://0.0.0.0/0> => match:
> 10.10.10.0/32 <http://10.10.10.0/32>
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: 10.10.10.0/32 <
> http://10.10.10.0/32>, received: ::/0 => no match
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config:
> 2a01:4f8:c17:1f2d::1/128, received: 0.0.0.0/0 <http://0.0.0.0/0> => no
> match
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config:
> 2a01:4f8:c17:1f2d::1/128, received: ::/0 => match: 2a01:4f8:c17:1f2d::1/128
> >
> > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> CHILD_SA TEST-1{2} state
> change: CREATED => INSTALLING
> >
> > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> using AES_GCM_16 for
> encryption
> >
> > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> adding inbound ESP SA
> >
> > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> SPI 0xc1e8e177, src
> 2a01:4b00:867c:6d00:461:484e:456f:317a dst 2a01:4f8:c17:1f2d:cafe::123
> >
> > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding SAD entry with SPI
> c1e8e177 and reqid {1}
> >
> > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> using encryption algorithm
> AES_GCM_16 with key size 288
> >
> > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> using replay window of 32
> packets
> >
> > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> HW offload: no
> >
> > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> adding outbound ESP SA
> >
> > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> SPI 0x01fb3039, src
> 2a01:4f8:c17:1f2d:cafe::123 dst 2a01:4b00:867c:6d00:461:484e:456f:317a
> >
> > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding SAD entry with SPI
> 01fb3039 and reqid {1}
> >
> > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> using encryption algorithm
> AES_GCM_16 with key size 288
> >
> > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> using replay window of 0
> packets
> >
> > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> HW offload: no
> >
> > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 10.10.10.0/32
> <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> in [priority
> 383615, refcount 1]
> >
> > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 10.10.10.0/32
> <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> fwd [priority
> 383615, refcount 1]
> >
> > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 0.0.0.0/0 <
> http://0.0.0.0/0> === 10.10.10.0/32 <http://10.10.10.0/32> out [priority
> 383615, refcount 1]
> >
> > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy
> 2a01:4f8:c17:1f2d::1/128 === ::/0 in [priority 334463, refcount 1]
> >
> > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy
> 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd [priority 334463, refcount 1]
> >
> > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy ::/0 ===
> 2a01:4f8:c17:1f2d::1/128 out [priority 334463, refcount 1]
> >
> > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> CHILD_SA TEST-1{2}
> established with SPIs c1e8e177_i 01fb3039_o and TS 0.0.0.0/0 <
> http://0.0.0.0/0> ::/0 === 10.10.10.0/32 <http://10.10.10.0/32>
> 2a01:4f8:c17:1f2d::1/128
> >
> > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> CHILD_SA TEST-1{2} state
> change: INSTALLING => INSTALLED
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> RADIUS server 'server-a' is
> candidate: 210
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> sending RADIUS
> Accounting-Request to server 'server-a'
> >
> > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> received RADIUS
> Accounting-Response from server 'server-a'
> >
> > Fri, 2021-11-12, 07:05:02 06[ENC] <TEST-1|3> generating IKE_AUTH
> response 6 [ AUTH CPRP(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP)
> N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
> >
> > Fri, 2021-11-12, 07:05:02 06[NET] <TEST-1|3> sending packet: from
> 2a01:4f8:c17:1f2d:cafe::123[4500] to
> 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (394 bytes)
> >
> > Fri, 2021-11-12, 07:05:34 05[CFG] vici client 974 connected
> >
> > Fri, 2021-11-12, 07:05:34 12[CFG] vici client 974 registered for: list-sa
> >
> > Fri, 2021-11-12, 07:05:34 05[CFG] vici client 974 requests: list-sas
> >
> > Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying SAD entry with SPI
> c1e8e177
> >
> > Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy
> 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> in
> >
> > Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy
> 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> fwd
> >
> > Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy
> 2a01:4f8:c17:1f2d::1/128 === ::/0 in
> >
> > Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy
> 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd
> >
> > Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying SAD entry with SPI
> 01fb3039
> >
> > Fri, 2021-11-12, 07:05:34 09[CFG] vici client 974 disconnected
> >
> > Fri, 2021-11-12, 07:06:14 13[CFG] vici client 975 connected
> >
> > Fri, 2021-11-12, 07:06:14 16[CFG] vici client 975 registered for: list-sa
> >
> > Fri, 2021-11-12, 07:06:14 13[CFG] vici client 975 requests: list-sas
> >
> > Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying SAD entry with SPI
> c1e8e177
> >
> > Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy
> 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> in
> >
> > Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy
> 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> fwd
> >
> > Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy
> 2a01:4f8:c17:1f2d::1/128 === ::/0 in
> >
> > Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy
> 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd
> >
> > Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying SAD entry with SPI
> 01fb3039
> >
> > Fri, 2021-11-12, 07:06:14 06[CFG] vici client 975 disconnected
> >
> > Fri, 2021-11-12, 07:06:54 05[CFG] vici client 976 connected
> >
> > Fri, 2021-11-12, 07:06:54 12[CFG] vici client 976 registered for: list-sa
> >
> > Fri, 2021-11-12, 07:06:54 05[CFG] vici client 976 requests: list-sas
> >
> > Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying SAD entry with SPI
> c1e8e177
> >
> > Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy
> 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> in
> >
> > Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy
> 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> fwd
> >
> > Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy
> 2a01:4f8:c17:1f2d::1/128 === ::/0 in
> >
> > Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy
> 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd
> >
> > Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying SAD entry with SPI
> 01fb3039
> >
> > Fri, 2021-11-12, 07:06:54 09[CFG] vici client 976 disconnected
> >
> > Fri, 2021-11-12, 07:07:34 13[CFG] vici client 977 connected
> >
> > Fri, 2021-11-12, 07:07:34 16[CFG] vici client 977 registered for: list-sa
> >
> > Fri, 2021-11-12, 07:07:34 13[CFG] vici client 977 requests: list-sas
> >
> > Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying SAD entry with SPI
> c1e8e177
> >
> > Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy
> 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> in
> >
> > Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy
> 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> fwd
> >
> > Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy
> 2a01:4f8:c17:1f2d::1/128 === ::/0 in
> >
> > Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy
> 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd
> >
> > Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying SAD entry with SPI
> 01fb3039
> >
> > Fri, 2021-11-12, 07:07:34 06[CFG] vici client 977 disconnected
> >
> > Fri, 2021-11-12, 07:08:14 05[CFG] vici client 978 connected
> >
> > Fri, 2021-11-12, 07:08:14 12[CFG] vici client 978 registered for: list-sa
> >
> > Fri, 2021-11-12, 07:08:14 05[CFG] vici client 978 requests: list-sas
> >
> > Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying SAD entry with SPI
> c1e8e177
> >
> > Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy
> 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> in
> >
> > Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy
> 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> fwd
> >
> > Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy
> 2a01:4f8:c17:1f2d::1/128 === ::/0 in
> >
> > Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy
> 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd
> >
> > Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying SAD entry with SPI
> 01fb3039
> >
> > Fri, 2021-11-12, 07:08:14 09[CFG] vici client 978 disconnected
> >
> >
> > *ipsec.conf*
> >
> > config setup
> >
> > strictcrlpolicy=yes
> >
> > uniqueids=never
> >
> > conn TEST-1
> >
> > auto=add
> >
> > compress=no
> >
> > type=tunnel
> >
> > keyexchange=ikev2
> >
> > fragmentation=yes
> >
> > forceencaps=no
> >
> >
> ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048,
> aes256-sha256-ecp521-ecp256-modp4096-modp2048!
> >
> > esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048,
> aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!
> >
> > dpdaction=clear
> >
> > dpddelay=2400s
> >
> > dpdtimeout=3600s
> >
> > rekey=no
> >
> > left=%any
> >
> > leftid=@de-test-1.mydomain.net <http://de-test-1.mydomain.net>
> >
> > leftcert=cert.pem
> >
> > leftsendcert=always
> >
> > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>, ::/0
> >
> > right=%any
> >
> > rightid=%any
> >
> > rightauth=eap-radius
> >
> > eap_identity=%any
> >
> > rightdns=1.1.1.1,2606:4700:4700::1111
> >
> > rightsourceip=10.10.10.0/17,2a01:4f8:c17:1f2d::/64 <
> http://10.10.10.0/17,2a01:4f8:c17:1f2d::/64>
> >
> > leftfirewall=no
> >
> >
> > *sudo systemctl status strongswan-starter*
> > ● strongswan-starter.service - strongSwan IPsec IKEv1/IKEv2 daemon using
> ipsec.conf
> > Loaded: loaded (/lib/systemd/system/strongswan-starter.service;
> enabled; vendor preset: enabled)
> > Active: active (running) since Thu 2021-11-11 20:16:27 UTC; 11h ago
> > Main PID: 905 (starter)
> > Tasks: 18 (limit: 2276)
> > Memory: 11.3M
> > CPU: 685ms
> > CGroup: /system.slice/strongswan-starter.service
> > ├─905 /usr/libexec/ipsec/starter --daemon charon --nofork
> > └─918 /usr/libexec/ipsec/charon
> > Nov 11 20:16:27 de-test-1 systemd[1]: Started strongSwan IPsec
> IKEv1/IKEv2 daemon using ipsec.conf.
> > Nov 11 20:16:27 de-test-1 ipsec[905]: Starting strongSwan 5.9.4 IPsec
> [starter]...
> > Nov 11 20:16:27 de-test-1 ipsec_starter[905]: Starting strongSwan 5.9.4
> IPsec [starter]...
> > Nov 11 20:16:29 de-test-1 ipsec[905]: charon (918) started after 1620 ms
> > Nov 11 20:16:29 de-test-1 ipsec_starter[905]: charon (918) started after
> 1620 ms
> >
> > *ip6tables-save*
> > *filter
> > :INPUT DROP [0:0]
> > :FORWARD DROP [176:15578]
> > :OUTPUT ACCEPT [2539:673098]
> > :OUTGOING - [0:0]
> > -A INPUT -i lo -j ACCEPT
> > -A INPUT -p ipv6-icmp -j ACCEPT
> > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 275 -j ACCEPT
> > -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> > -A INPUT -p esp -m esp -j ACCEPT
> > -A INPUT -m ah -j ACCEPT
> > -A FORWARD -m policy --dir in --pol ipsec -j OUTGOING
> > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
> > -A OUTGOING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > -A OUTGOING -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5
> --hashlimit-mode srcip,dstip --hashlimit-name NETSCANv6 --hashlimit-dstmask
> 64 -j ACCEPT
> > COMMIT
> > # Completed on Fri Nov 12 07:18:59 2021
> > # Generated by ip6tables-save v1.8.7 on Fri Nov 12 07:18:59 2021
> > *nat
> > :PREROUTING ACCEPT [848:78316]
> > :INPUT ACCEPT [12:2456]
> > :OUTPUT ACCEPT [17:1616]
> > :POSTROUTING ACCEPT [677:61898]
> > -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
> > -A POSTROUTING -m addrtype ! --src-type LOCAL -j MASQUERADE
> > COMMIT*
> > *
> >
> > *ip route show table all*
> > default via 172.31.1.1 dev eth0
> > 172.31.1.1 dev eth0 scope link
> > broadcast 127.0.0.0 dev lo table local proto kernel scope link src
> 127.0.0.1
> > local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto kernel
> scope host src 127.0.0.1
> > local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
> > broadcast 127.255.255.255 dev lo table local proto kernel scope link src
> 127.0.0.1
> > local 162.55.173.134 dev eth0 table local proto kernel scope host src
> 162.55.173.134
> > broadcast 162.55.173.134 dev eth0 table local proto kernel scope link
> src 162.55.173.134
> > ::1 dev lo proto kernel metric 256 pref medium
> > 2a01:4f8:c17:1f2d::1 dev eth0 proto kernel metric 256 pref medium
> > 2a01:4f8:c17:1f2d:cafe::123 dev eth0 proto kernel metric 256 pref medium
> > 2a01:4f8:c17:1f2d:ffff::/80 dev eth0 proto kernel metric 256 pref medium
> > fe80::/64 dev eth0 proto kernel metric 256 pref medium
> > default via fe80::1 dev eth0 metric 1024 onlink pref medium
> > local ::1 dev lo table local proto kernel metric 0 pref medium
> > local 2a01:4f8:c17:1f2d::1 dev eth0 table local proto kernel metric 0
> pref medium
> > local 2a01:4f8:c17:1f2d:cafe::123 dev eth0 table local proto kernel
> metric 0 pref medium
> > local 2a01:4f8:c17:1f2d:ffff:: dev eth0 table local proto kernel metric
> 0 pref medium
> > anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
> > local fe80::9400:ff:fef1:6bcb dev eth0 table local proto kernel metric 0
> pref medium
> > multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref
> medium*
> > *
> >
> > *ip address*
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
> > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > inet 127.0.0.1/8 <http://127.0.0.1/8> scope host lo
> > valid_lft forever preferred_lft forever
> > inet6 ::1/128 scope host
> > valid_lft forever preferred_lft forever
> > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
> > link/ether 96:00:00:f1:6b:cb brd ff:ff:ff:ff:ff:ff
> > altname enp0s3
> > altname ens3
> > inet 162.55.173.134/32 <http://162.55.173.134/32> brd
> 162.55.173.134 scope global dynamic eth0
> > valid_lft 82750sec preferred_lft 82750sec
> > inet6 2a01:4f8:c17:1f2d:ffff::/80 scope global
> > valid_lft forever preferred_lft forever
> > inet6 2a01:4f8:c17:1f2d:cafe::123/128 scope global
> > valid_lft forever preferred_lft forever
> > inet6 2a01:4f8:c17:1f2d::1/128 scope global
> > valid_lft forever preferred_lft forever
> > inet6 fe80::9400:ff:fef1:6bcb/64 scope link
> > valid_lft forever preferred_lft forever*
> > *
> >
> > Please let me know if you need anything else. Much appreciated.
> > Thank you,
> > Houman
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20211121/dd6dd317/attachment-0001.html>
More information about the Users
mailing list