On Thu, Jul 8, 2021 at 11:04 AM Paul Wouters <p...@nohats.ca> wrote: > On Thu, 8 Jul 2021, Dan Stromberg wrote: > > > $ ike-scan vpn.nohats.ca > > Starting ike-scan 1.9.4 with 1 hosts ( > http://www.nta-monitor.com/tools/ike-scan/) > > > > Ending ike-scan 1.9.4: 1 hosts scanned in 2.529 seconds (0.40 > hosts/sec). 0 returned handshake; 0 returned notify > > > > Could someone not firewalled please run "ike-scan vpn.nohats.ca" and > send output to the list, for the sake of comparison? > > paul@bofh:~$ sudo ike-scan vpn.nohats.ca > Starting ike-scan 1.9.4 with 1 hosts ( > http://www.nta-monitor.com/tools/ike-scan/) > > Ending ike-scan 1.9.4: 1 hosts scanned in 2.616 seconds (0.38 hosts/sec). > 0 returned handshake; 0 returned notify > > I guess we increased our security :) > Thanks for checking it!
> Jul 8 13:58:50.834070: packet from 193.110.157.194:500: initial Main > Mode message received but no connection has been authorized with policy PSK > > > I added a bogus IKEv1 connection to it. So now scanning it shows: > > paul@bofh:~$ sudo ike-scan vpn.nohats.ca > Starting ike-scan 1.9.4 with 1 hosts ( > http://www.nta-monitor.com/tools/ike-scan/) > 193.110.157.148 Notify message 14 (NO-PROPOSAL-CHOSEN) > HDR=(CKY-R=d87781dc8be5eff1) > > Ending ike-scan 1.9.4: 1 hosts scanned in 0.274 seconds (3.65 hosts/sec). > 0 returned handshake; 1 returned notify > > Note the "1 returned notify" > > > PS: I'm not sure if I'm happy or daunted by the possibility of this > being because of a firewall, as I haven't set one up and fear it may be out > of my > > control. > > if you have firewalld running, you might just want to either remove it, > or run: > > sudo firewall-cmd --zone=trusted --add-port=500/udp --permanent > sudo firewall-cmd --zone=trusted --add-port=4500/udp --permanent > sudo firewall-cmd --zone=trusted --add-protocol=50 --permanent > sudo systemctl restart firewalld > Now ike-scan of vpn.nohats.ca is giving me: $ ike-scan --ikev2 vpn.nohats.ca Starting ike-scan 1.9.4 with 1 hosts ( http://www.nta-monitor.com/tools/ike-scan/) 193.110.157.148 Notify message 14 (NO_PROPOSAL_CHOSEN) HDR=(CKY-R=ac594eee123b34c5, IKEv2) Ending ike-scan 1.9.4: 1 hosts scanned in 0.469 seconds (2.13 hosts/sec). 0 returned handshake; 1 returned notify Does this mean there's no firewall on my system? I don't see any occurrences of "firewall" in ps -ef, and iptables --list gives me: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination I'm not 100% sure how to interpret this. If it's a firewall blocking my traffic, I don't think it's on my Debian system, nor do I think it's on my home router, but please help me interpret these results. It seems like if there's a firewall, it would have to be on my corporate network or the Fortigate system itself. I'm still getting: $ ike-scan --ikev2 1.1.1.1 below cmd output started 2021 Thu Jul 08 12:08:58 PM PDT Starting ike-scan 1.9.4 with 1 hosts ( http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9.4: 1 hosts scanned in 2.438 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify I haven't found mtr tremendously accurate in the past, but maybe here it's worth looking at to form a guess about where udp/500 is getting blocked, if anywhere: mtr --report --udp -4 --port 500 1.1.1.1 Start: 2021-07-08T12:18:56-0700 HOST: KS190924A Loss% Snt Last Avg Best Wrst StDev 1.|-- dsldevice.attlocal.net 0.0% 10 0.8 0.8 0.8 0.9 0.0 2.|-- 107-214-104-1.lightspeed. 0.0% 10 20.6 21.6 17.3 30.4 5.3 3.|-- 64.148.105.178 0.0% 10 17.4 67.1 17.3 457.0 138.2 4.|-- cr83.la2ca.ip.att.net 0.0% 10 20.5 23.8 20.3 27.7 2.7 5.|-- ggr2.la2ca.ip.att.net 0.0% 10 21.1 21.2 19.2 22.3 1.1 6.|-- 192.205.37.26 0.0% 10 20.6 20.6 19.7 21.2 0.4 7.|-- be-3402-cs04.losangeles.c 0.0% 10 20.3 21.4 20.3 22.2 0.6 8.|-- 96.110.45.230 0.0% 10 28.5 28.2 26.3 35.0 2.5 9.|-- ae-2-rur01.placerville.ca 0.0% 10 32.2 32.0 31.6 32.5 0.3 10.|-- ae-11-sur02.placerville.c 0.0% 10 31.0 31.5 31.0 32.2 0.4 11.|-- 50.231.18.194 0.0% 10 32.1 32.3 32.0 33.5 0.5 12.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0 This too seems to say that I'm not firewalling on my Debian system or home router. Hop 11 appears to be a comcast host according to ipwhois. My IT guy said that the Fortigate server is "in stealth mode", and he seems to be avoiding telling me what that means more specifically. If I had to guess, I'd say maybe he's turned off ICMP, since the server is not ping'able. Any further thoughts folks? Thanks!
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
