Re: [strongSwan] VTI device and strongswan ikev2 issue

Wed, 22 Nov 2017 09:50:22 -0800 

Hello Noel,
I do not know what you exactly mean, but the source IP send over VTI interface is the same as configured on VTI interface (95.115.254.161 in this case). As I wrote, I can see that ICMP echo request & reply are delivered to this IPSEC endpoint machine (but I only suppose, because packets are encrypted when sniffing using tcpdump, but there is no other ICMP traffic). It seems that encrypted echo-reply is delivered to the machine, but "kernel/ipsec stack" is not able to properly "route" to the VTI device. 


Actually my IPSEC/*swan knowledge is not very good so sorry if my answer 
are dumb.


I am attaching logs/configs as you requested.

Thank you,

BR,
Miroslav

On 2017-11-22 17:41, Noel Kuntze wrote:

Hello Miroslav,

I suspect that the policy lookup for the received packets fail. Check
what the source of the packets is that you send over the vti device.
Anyway, please provide the full list of information from the
HelpRequests[1] page.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Kind regards

Noel

On 22.11.2017 16:47, Miroslav Hostinsky wrote:

Hello,


I have an issue configuring StrongSwan with VTI interface as 
roadwarrior. This is my configuration:


ipsec.conf:

config setup

conn %default
  keyexchange=ikev2
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  rekey=no
  dpdaction=restart
  dpddelay=30s
  compress=yes
  auto=start

conn acnnet
  leftupdown=/usr/local/sbin/ipsec-notify.sh
  left=%defaultroute
  leftauth=eap
  leftsourceip=%config4,%config6
  rightauth=pubkey
  rightsubnet=0.0.0.0/0,::/0
  eap_identity=%identity
  leftid=bman
  right=mailer.domena.sk
  [email protected]
  mark=28


VTI interface is configured using lefupdown script (real commands 
executed):



ip tunnel add vti1 local 85.105.254.225 remote 185.210.28.63 mode vti 
key 28 ikey 28

ip link set vti1 up
ip addr add 192.168.228.10 dev vti1
ip route add 74.99.179.0/24 dev vti1
sysctl -w net.ipv4.conf.vti1.disable_policy=1


It seems that outgoing connection via vti1 interface is working 
(outgoing ICMP echo request to subnet 74.99.179.0/24 ). But I am 
unable to receive ICMP echo reply. Using tcpdump I can clearly see, 
that IPSEC encrypted ICMP echo reply is returning via physical 
interface, but not via vti1.




I found, that, TX bytes is correctly counted via vti1, but RX shows 
errors (it seems that each ICMP echo reply packet is counted as +1 
error):


# ip -s tunnel show

vti1: ip/ip  remote 185.210.28.63  local 85.105.254.225 ttl inherit  
key 28

RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts
    0          0            805    0        0 0
TX: Packets    Bytes        Errors DeadLoop NoRoute NoBufs
    401        68170        0      0        0 0
ip_vti0: ip/ip  remote any  local any  ttl inherit nopmtudisc key 0
RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts
    0          0            0      0        0 0
TX: Packets    Bytes        Errors DeadLoop NoRoute NoBufs
    0          0            0      0        0 0


It seems that, RX Errors on vti1 are currently missing ICMP echo reply 
packets. But is counted as RX errors, not RX received packets.


Do you have any idea what's wrong?


I am using Centos 7.4 with strongswan-5.5.3-1.el7.x86_64 from EPEL. A 
tried with same result on Archlinux (kernel 4.9 and strongswan 5.6.0).


Route installation is disabled in charon.conf.

Normal connection using Virtual IP is working great.


Thank you very much for any help.


BR,

Miroslav


--
Miroslav Hostinsky
Wed, 2017-11-22 18:24 00[DMN] Starting IKE charon daemon (strongSwan 5.5.3, 
Linux 3.10.0-693.5.2.el7.x86_64, x86_64)
Wed, 2017-11-22 18:24 00[LIB] plugin 'aes': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'des': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'rc2': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'sha2': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'sha1': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'md4': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'md5': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'random': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'nonce': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'x509': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'revocation': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'constraints': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'acert': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'pubkey': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'pkcs1': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'pkcs8': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'pkcs12': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'pgp': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'dnskey': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'sshkey': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'pem': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] openssl FIPS mode(2) - enabled 
Wed, 2017-11-22 18:24 00[LIB] plugin 'openssl': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'gcrypt': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'fips-prf': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'gmp': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'curve25519': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'xcbc': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'cmac': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'hmac': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'ctr': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'ccm': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'gcm': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'curl': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'attr': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'kernel-netlink': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'resolve': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'socket-default': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'farp': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'stroke': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'vici': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'updown': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'eap-identity': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'eap-md5': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'eap-gtc': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'eap-mschapv2': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'eap-tls': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'eap-ttls': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'eap-peap': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'xauth-generic': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'xauth-eap': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'xauth-pam': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'xauth-noauth': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'dhcp': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] plugin 'unity': loaded successfully
Wed, 2017-11-22 18:24 00[LIB] feature PUBKEY:BLISS in plugin 'pem' has unmet 
dependency: PUBKEY:BLISS
Wed, 2017-11-22 18:24 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet 
dependency: PUBKEY:DSA
Wed, 2017-11-22 18:24 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet 
dependency: PRIVKEY:DSA
Wed, 2017-11-22 18:24 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has unmet 
dependency: PRIVKEY:BLISS
Wed, 2017-11-22 18:24 00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin 'pem' 
has unmet dependency: CERT_DECODE:OCSP_REQUEST
Wed, 2017-11-22 18:24 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_224 in 
plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224
Wed, 2017-11-22 18:24 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_256 in 
plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256
Wed, 2017-11-22 18:24 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_384 in 
plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384
Wed, 2017-11-22 18:24 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_512 in 
plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512
Wed, 2017-11-22 18:24 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_224 in 
plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224
Wed, 2017-11-22 18:24 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_256 in 
plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256
Wed, 2017-11-22 18:24 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_384 in 
plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384
Wed, 2017-11-22 18:24 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_512 in 
plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512
Wed, 2017-11-22 18:24 00[CFG] loading ca certificates from 
'/etc/strongswan/ipsec.d/cacerts'
Wed, 2017-11-22 18:24 00[CFG]   loaded ca certificate "C=US, O=Let's Encrypt, 
CN=Let's Encrypt Authority X3" from 
'/etc/strongswan/ipsec.d/cacerts/lets-encrypt-x3-cross-signed.pem'
Wed, 2017-11-22 18:24 00[CFG]   loaded ca certificate "O=Digital Signature 
Trust Co., CN=DST Root CA X3" from '/etc/strongswan/ipsec.d/cacerts/dst.pem'
Wed, 2017-11-22 18:24 00[CFG] loading aa certificates from 
'/etc/strongswan/ipsec.d/aacerts'
Wed, 2017-11-22 18:24 00[CFG] loading ocsp signer certificates from 
'/etc/strongswan/ipsec.d/ocspcerts'
Wed, 2017-11-22 18:24 00[CFG] loading attribute certificates from 
'/etc/strongswan/ipsec.d/acerts'
Wed, 2017-11-22 18:24 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Wed, 2017-11-22 18:24 00[CFG] loading secrets from 
'/etc/strongswan/ipsec.secrets'
Wed, 2017-11-22 18:24 00[CFG]   loaded EAP secret for bmanovic
Wed, 2017-11-22 18:24 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md4 
md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 
pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr 
ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown 
eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap 
xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unity
Wed, 2017-11-22 18:24 00[LIB] unable to load 13 plugin features (13 due to 
unmet dependencies)
Wed, 2017-11-22 18:24 00[JOB] spawning 16 worker threads
Wed, 2017-11-22 18:24 01[LIB] created thread 01 [2818]
Wed, 2017-11-22 18:24 03[LIB] created thread 03 [2821]
Wed, 2017-11-22 18:24 02[LIB] created thread 02 [2819]
Wed, 2017-11-22 18:24 04[LIB] created thread 04 [2820]
Wed, 2017-11-22 18:24 05[LIB] created thread 05 [2822]
Wed, 2017-11-22 18:24 06[LIB] created thread 06 [2824]
Wed, 2017-11-22 18:24 08[LIB] created thread 08 [2825]
Wed, 2017-11-22 18:24 07[LIB] created thread 07 [2823]
Wed, 2017-11-22 18:24 09[LIB] created thread 09 [2827]
Wed, 2017-11-22 18:24 10[LIB] created thread 10 [2826]
Wed, 2017-11-22 18:24 11[LIB] created thread 11 [2828]
Wed, 2017-11-22 18:24 13[LIB] created thread 13 [2830]
Wed, 2017-11-22 18:24 12[LIB] created thread 12 [2829]
Wed, 2017-11-22 18:24 14[LIB] created thread 14 [2831]
Wed, 2017-11-22 18:24 15[LIB] created thread 15 [2833]
Wed, 2017-11-22 18:24 16[LIB] created thread 16 [2832]
Wed, 2017-11-22 18:24 04[CFG] received stroke: add connection 'alconet'
Wed, 2017-11-22 18:24 04[CFG] conn alconet
Wed, 2017-11-22 18:24 04[CFG]   left=%any
Wed, 2017-11-22 18:24 04[CFG]   leftsourceip=%config4,%config6
Wed, 2017-11-22 18:24 04[CFG]   leftauth=eap
Wed, 2017-11-22 18:24 04[CFG]   leftid=bmanovic
Wed, 2017-11-22 18:24 04[CFG]   leftupdown=/usr/local/sbin/ipsec-notify.sh
Wed, 2017-11-22 18:24 04[CFG]   right=ipsec.domena.sk
Wed, 2017-11-22 18:24 04[CFG]   rightsubnet=0.0.0.0/0,::/0
Wed, 2017-11-22 18:24 04[CFG]   rightauth=pubkey
Wed, 2017-11-22 18:24 04[CFG]   [email protected]
Wed, 2017-11-22 18:24 04[CFG]   eap_identity=%identity
Wed, 2017-11-22 18:24 04[CFG]   ike=aes128-sha256-curve25519
Wed, 2017-11-22 18:24 04[CFG]   esp=aes128-sha256
Wed, 2017-11-22 18:24 04[CFG]   dpddelay=30
Wed, 2017-11-22 18:24 04[CFG]   dpdtimeout=150
Wed, 2017-11-22 18:24 04[CFG]   dpdaction=3
Wed, 2017-11-22 18:24 04[CFG]   sha256_96=no
Wed, 2017-11-22 18:24 04[CFG]   mediation=no
Wed, 2017-11-22 18:24 04[CFG]   keyexchange=ikev2
Wed, 2017-11-22 18:24 17[LIB] created thread 17 [2834]
Wed, 2017-11-22 18:24 04[CFG] added configuration 'alconet'
Wed, 2017-11-22 18:24 06[CFG] received stroke: initiate 'alconet'
Wed, 2017-11-22 18:24 06[IKE] <alconet|1> queueing IKE_VENDOR task
Wed, 2017-11-22 18:24 06[IKE] <alconet|1> queueing IKE_INIT task
Wed, 2017-11-22 18:24 06[IKE] <alconet|1> queueing IKE_NATD task
Wed, 2017-11-22 18:24 06[IKE] <alconet|1> queueing IKE_CERT_PRE task
Wed, 2017-11-22 18:24 06[IKE] <alconet|1> queueing IKE_AUTH task
Wed, 2017-11-22 18:24 06[IKE] <alconet|1> queueing IKE_CERT_POST task
Wed, 2017-11-22 18:24 06[IKE] <alconet|1> queueing IKE_CONFIG task
Wed, 2017-11-22 18:24 06[IKE] <alconet|1> queueing IKE_AUTH_LIFETIME task
Wed, 2017-11-22 18:24 06[IKE] <alconet|1> queueing IKE_MOBIKE task
Wed, 2017-11-22 18:24 06[IKE] <alconet|1> queueing CHILD_CREATE task
Wed, 2017-11-22 18:24 06[IKE] <alconet|1> activating new tasks
Wed, 2017-11-22 18:24 06[IKE] <alconet|1>   activating IKE_VENDOR task
Wed, 2017-11-22 18:24 06[IKE] <alconet|1>   activating IKE_INIT task
Wed, 2017-11-22 18:24 06[IKE] <alconet|1>   activating IKE_NATD task
Wed, 2017-11-22 18:24 06[IKE] <alconet|1>   activating IKE_CERT_PRE task
Wed, 2017-11-22 18:24 06[IKE] <alconet|1>   activating IKE_AUTH task
Wed, 2017-11-22 18:24 06[IKE] <alconet|1>   activating IKE_CERT_POST task
Wed, 2017-11-22 18:24 06[IKE] <alconet|1>   activating IKE_CONFIG task
Wed, 2017-11-22 18:24 06[IKE] <alconet|1>   activating CHILD_CREATE task
Wed, 2017-11-22 18:24 06[IKE] <alconet|1>   activating IKE_AUTH_LIFETIME task
Wed, 2017-11-22 18:24 06[IKE] <alconet|1>   activating IKE_MOBIKE task
Wed, 2017-11-22 18:24 06[IKE] <alconet|1> initiating IKE_SA alconet[1] to 
95.115.254.165
Wed, 2017-11-22 18:24 06[IKE] <alconet|1> IKE_SA alconet[1] state change: 
CREATED => CONNECTING
Wed, 2017-11-22 18:24 06[CFG] <alconet|1> configured proposals: 
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519, 
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024,
 
IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024
Wed, 2017-11-22 18:24 06[CFG] <alconet|1> sending supported signature hash 
algorithms: sha1 sha256 sha384 sha512 identity
Wed, 2017-11-22 18:24 06[ENC] <alconet|1> generating IKE_SA_INIT request 0 [ SA 
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Wed, 2017-11-22 18:24 06[NET] <alconet|1> sending packet: from 
10.198.54.208[500] to 95.115.254.165[500] (1094 bytes)
Wed, 2017-11-22 18:24 07[NET] <alconet|1> received packet: from 
95.115.254.165[500] to 10.198.54.208[500] (267 bytes)
Wed, 2017-11-22 18:24 07[ENC] <alconet|1> parsed IKE_SA_INIT response 0 [ SA KE 
No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Wed, 2017-11-22 18:24 07[IKE] <alconet|1> received FRAGMENTATION_SUPPORTED 
notify
Wed, 2017-11-22 18:24 07[IKE] <alconet|1> received SIGNATURE_HASH_ALGORITHMS 
notify
Wed, 2017-11-22 18:24 07[CFG] <alconet|1> selecting proposal:
Wed, 2017-11-22 18:24 07[CFG] <alconet|1>   proposal matches
Wed, 2017-11-22 18:24 07[CFG] <alconet|1> received proposals: 
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
Wed, 2017-11-22 18:24 07[CFG] <alconet|1> configured proposals: 
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519, 
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024,
 
IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024
Wed, 2017-11-22 18:24 07[CFG] <alconet|1> selected proposal: 
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
Wed, 2017-11-22 18:24 07[CFG] <alconet|1> received supported signature hash 
algorithms: sha1 sha256 sha384 sha512 identity
Wed, 2017-11-22 18:24 07[IKE] <alconet|1> local host is behind NAT, sending 
keep alives
Wed, 2017-11-22 18:24 07[IKE] <alconet|1> received cert request for "C=US, 
O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Wed, 2017-11-22 18:24 07[IKE] <alconet|1> reinitiating already active tasks
Wed, 2017-11-22 18:24 07[IKE] <alconet|1>   IKE_CERT_PRE task
Wed, 2017-11-22 18:24 07[IKE] <alconet|1>   IKE_AUTH task
Wed, 2017-11-22 18:24 07[IKE] <alconet|1> sending cert request for "C=US, 
O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Wed, 2017-11-22 18:24 07[IKE] <alconet|1> sending cert request for "O=Digital 
Signature Trust Co., CN=DST Root CA X3"
Wed, 2017-11-22 18:24 07[IKE] <alconet|1> building INTERNAL_IP4_DNS attribute
Wed, 2017-11-22 18:24 07[IKE] <alconet|1> building INTERNAL_IP6_DNS attribute
Wed, 2017-11-22 18:24 07[IKE] <alconet|1> establishing CHILD_SA alconet
Wed, 2017-11-22 18:24 07[CFG] <alconet|1> proposing traffic selectors for us:
Wed, 2017-11-22 18:24 07[CFG] <alconet|1>  0.0.0.0/0
Wed, 2017-11-22 18:24 07[CFG] <alconet|1>  ::/0
Wed, 2017-11-22 18:24 07[CFG] <alconet|1> proposing traffic selectors for other:
Wed, 2017-11-22 18:24 07[CFG] <alconet|1>  0.0.0.0/0
Wed, 2017-11-22 18:24 07[CFG] <alconet|1>  ::/0
Wed, 2017-11-22 18:24 07[CFG] <alconet|1> configured proposals: 
ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, 
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Wed, 2017-11-22 18:24 07[ENC] <alconet|1> generating IKE_AUTH request 1 [ IDi 
N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR ADDR6 DNS DNS6) N(IPCOMP_SUP) SA TSi TSr 
N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Wed, 2017-11-22 18:24 07[NET] <alconet|1> sending packet: from 
10.198.54.208[4500] to 95.115.254.165[4500] (544 bytes)
Wed, 2017-11-22 18:24 02[NET] <alconet|1> received packet: from 
95.115.254.165[4500] to 10.198.54.208[4500] (1236 bytes)
Wed, 2017-11-22 18:24 02[ENC] <alconet|1> parsed IKE_AUTH response 1 [ EF(1/2) ]
Wed, 2017-11-22 18:24 02[ENC] <alconet|1> received fragment #1 of 2, waiting 
for complete IKE message
Wed, 2017-11-22 18:24 09[NET] <alconet|1> received packet: from 
95.115.254.165[4500] to 10.198.54.208[4500] (516 bytes)
Wed, 2017-11-22 18:24 09[ENC] <alconet|1> parsed IKE_AUTH response 1 [ EF(2/2) ]
Wed, 2017-11-22 18:24 09[ENC] <alconet|1> received fragment #2 of 2, 
reassembling fragmented IKE message
Wed, 2017-11-22 18:24 09[ENC] <alconet|1> parsed IKE_AUTH response 1 [ IDr CERT 
AUTH EAP/REQ/ID ]
Wed, 2017-11-22 18:24 09[IKE] <alconet|1> received end entity cert 
"CN=ipsec.domena.sk"
Wed, 2017-11-22 18:24 09[CFG] <alconet|1>   using certificate 
"CN=ipsec.domena.sk"
Wed, 2017-11-22 18:24 09[CFG] <alconet|1>   certificate "CN=ipsec.domena.sk" 
key: 2048 bit RSA
Wed, 2017-11-22 18:24 09[CFG] <alconet|1>   using trusted intermediate ca 
certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Wed, 2017-11-22 18:24 09[CFG] <alconet|1> checking certificate status of 
"CN=ipsec.domena.sk"
Wed, 2017-11-22 18:24 09[CFG] <alconet|1>   requesting ocsp status from 
'http://ocsp.int-x3.letsencrypt.org' ...
Wed, 2017-11-22 18:24 09[LIB] <alconet|1>   sending request to 
'http://ocsp.int-x3.letsencrypt.org'...
Wed, 2017-11-22 18:24 09[LIB] <alconet|1> libcurl request failed [7]: Failed to 
connect to 2a02:26f0:ea::1706:70f0: Network is unreachable
Wed, 2017-11-22 18:24 09[CFG] <alconet|1> ocsp request to 
http://ocsp.int-x3.letsencrypt.org failed
Wed, 2017-11-22 18:24 09[CFG] <alconet|1> ocsp check failed, fallback to crl
Wed, 2017-11-22 18:24 09[CFG] <alconet|1> certificate status is not available
Wed, 2017-11-22 18:24 09[CFG] <alconet|1>   certificate "C=US, O=Let's Encrypt, 
CN=Let's Encrypt Authority X3" key: 2048 bit RSA
Wed, 2017-11-22 18:24 09[CFG] <alconet|1>   using trusted ca certificate 
"O=Digital Signature Trust Co., CN=DST Root CA X3"
Wed, 2017-11-22 18:24 09[CFG] <alconet|1> checking certificate status of "C=US, 
O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Wed, 2017-11-22 18:24 09[CFG] <alconet|1>   requesting ocsp status from 
'http://isrg.trustid.ocsp.identrust.com' ...
Wed, 2017-11-22 18:24 09[LIB] <alconet|1>   sending request to 
'http://isrg.trustid.ocsp.identrust.com'...
Wed, 2017-11-22 18:24 09[LIB] <alconet|1> libcurl request failed [7]: Failed 
connect to isrg.trustid.ocsp.identrust.com:80; Connection refused
Wed, 2017-11-22 18:24 09[CFG] <alconet|1> ocsp request to 
http://isrg.trustid.ocsp.identrust.com failed
Wed, 2017-11-22 18:24 09[CFG] <alconet|1> ocsp check failed, fallback to crl
Wed, 2017-11-22 18:24 09[CFG] <alconet|1>   fetching crl from 
'http://crl.identrust.com/DSTROOTCAX3CRL.crl' ...
Wed, 2017-11-22 18:24 09[LIB] <alconet|1>   sending request to 
'http://crl.identrust.com/DSTROOTCAX3CRL.crl'...
Wed, 2017-11-22 18:24 09[LIB] <alconet|1> libcurl request failed [7]: Failed 
connect to crl.identrust.com:80; Connection refused
Wed, 2017-11-22 18:24 09[CFG] <alconet|1> crl fetching failed
Wed, 2017-11-22 18:24 09[CFG] <alconet|1> certificate status is not available
Wed, 2017-11-22 18:24 09[CFG] <alconet|1> certificate policy 2.23.140.1.2.1 for 
'CN=ipsec.domena.sk' not allowed by trustchain, ignored
Wed, 2017-11-22 18:24 09[CFG] <alconet|1> certificate policy 
1.3.6.1.4.1.44947.1.1.1 for 'CN=ipsec.domena.sk' not allowed by trustchain, 
ignored
Wed, 2017-11-22 18:24 09[CFG] <alconet|1>   certificate "O=Digital Signature 
Trust Co., CN=DST Root CA X3" key: 2048 bit RSA
Wed, 2017-11-22 18:24 09[CFG] <alconet|1>   reached self-signed root ca with a 
path length of 1
Wed, 2017-11-22 18:24 09[IKE] <alconet|1> authentication of 'ipsec.domena.sk' 
with RSA_EMSA_PKCS1_SHA2_256 successful
Wed, 2017-11-22 18:24 09[IKE] <alconet|1> server requested EAP_IDENTITY (id 
0x00), sending 'bmanovic'
Wed, 2017-11-22 18:24 09[IKE] <alconet|1> reinitiating already active tasks
Wed, 2017-11-22 18:24 09[IKE] <alconet|1>   IKE_AUTH task
Wed, 2017-11-22 18:24 09[ENC] <alconet|1> generating IKE_AUTH request 2 [ 
EAP/RES/ID ]
Wed, 2017-11-22 18:24 09[NET] <alconet|1> sending packet: from 
10.198.54.208[4500] to 95.115.254.165[4500] (96 bytes)
Wed, 2017-11-22 18:24 10[NET] <alconet|1> received packet: from 
95.115.254.165[4500] to 10.198.54.208[4500] (112 bytes)
Wed, 2017-11-22 18:24 10[ENC] <alconet|1> parsed IKE_AUTH response 2 [ 
EAP/REQ/MSCHAPV2 ]
Wed, 2017-11-22 18:24 10[IKE] <alconet|1> server requested EAP_MSCHAPV2 
authentication (id 0xFA)
Wed, 2017-11-22 18:24 10[IKE] <alconet|1> reinitiating already active tasks
Wed, 2017-11-22 18:24 10[IKE] <alconet|1>   IKE_AUTH task
Wed, 2017-11-22 18:24 10[ENC] <alconet|1> generating IKE_AUTH request 3 [ 
EAP/RES/MSCHAPV2 ]
Wed, 2017-11-22 18:24 10[NET] <alconet|1> sending packet: from 
10.198.54.208[4500] to 95.115.254.165[4500] (144 bytes)
Wed, 2017-11-22 18:24 11[NET] <alconet|1> received packet: from 
95.115.254.165[4500] to 10.198.54.208[4500] (144 bytes)
Wed, 2017-11-22 18:24 11[ENC] <alconet|1> parsed IKE_AUTH response 3 [ 
EAP/REQ/MSCHAPV2 ]
Wed, 2017-11-22 18:24 11[IKE] <alconet|1> EAP-MS-CHAPv2 succeeded: 
'Welcome2strongSwan'
Wed, 2017-11-22 18:24 11[IKE] <alconet|1> reinitiating already active tasks
Wed, 2017-11-22 18:24 11[IKE] <alconet|1>   IKE_AUTH task
Wed, 2017-11-22 18:24 11[ENC] <alconet|1> generating IKE_AUTH request 4 [ 
EAP/RES/MSCHAPV2 ]
Wed, 2017-11-22 18:24 11[NET] <alconet|1> sending packet: from 
10.198.54.208[4500] to 95.115.254.165[4500] (80 bytes)
Wed, 2017-11-22 18:24 13[NET] <alconet|1> received packet: from 
95.115.254.165[4500] to 10.198.54.208[4500] (80 bytes)
Wed, 2017-11-22 18:24 13[ENC] <alconet|1> parsed IKE_AUTH response 4 [ EAP/SUCC 
]
Wed, 2017-11-22 18:24 13[IKE] <alconet|1> EAP method EAP_MSCHAPV2 succeeded, 
MSK established
Wed, 2017-11-22 18:24 13[IKE] <alconet|1> reinitiating already active tasks
Wed, 2017-11-22 18:24 13[IKE] <alconet|1>   IKE_AUTH task
Wed, 2017-11-22 18:24 13[IKE] <alconet|1> authentication of 'bmanovic' (myself) 
with EAP
Wed, 2017-11-22 18:24 13[ENC] <alconet|1> generating IKE_AUTH request 5 [ AUTH ]
Wed, 2017-11-22 18:24 13[NET] <alconet|1> sending packet: from 
10.198.54.208[4500] to 95.115.254.165[4500] (112 bytes)
Wed, 2017-11-22 18:24 12[NET] <alconet|1> received packet: from 
95.115.254.165[4500] to 10.198.54.208[4500] (256 bytes)
Wed, 2017-11-22 18:24 12[ENC] <alconet|1> parsed IKE_AUTH response 5 [ AUTH 
CPRP(ADDR DNS) N(IPCOMP_SUP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Wed, 2017-11-22 18:24 12[IKE] <alconet|1> received IPCOMP_SUPPORTED notify
Wed, 2017-11-22 18:24 12[IKE] <alconet|1> received NO_ADDITIONAL_ADDRESSES 
notify
Wed, 2017-11-22 18:24 12[IKE] <alconet|1> authentication of 'ipsec.domena.sk' 
with EAP successful
Wed, 2017-11-22 18:24 12[IKE] <alconet|1> IKE_SA alconet[1] established between 
10.198.54.208[bmanovic]...95.115.254.165[ipsec.domena.sk]
Wed, 2017-11-22 18:24 12[IKE] <alconet|1> IKE_SA alconet[1] state change: 
CONNECTING => ESTABLISHED
Wed, 2017-11-22 18:24 12[IKE] <alconet|1> processing INTERNAL_IP4_ADDRESS 
attribute
Wed, 2017-11-22 18:24 12[IKE] <alconet|1> processing INTERNAL_IP4_DNS attribute
Wed, 2017-11-22 18:24 12[IKE] <alconet|1> installing DNS server 8.8.8.8 to 
/etc/strongswan/resolv.conf
Wed, 2017-11-22 18:24 12[IKE] <alconet|1> installing new virtual IP 
95.115.254.161
Wed, 2017-11-22 18:24 12[CFG] <alconet|1> selecting proposal:
Wed, 2017-11-22 18:24 12[CFG] <alconet|1>   proposal matches
Wed, 2017-11-22 18:24 12[CFG] <alconet|1> received proposals: 
ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Wed, 2017-11-22 18:24 12[CFG] <alconet|1> configured proposals: 
ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, 
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Wed, 2017-11-22 18:24 12[CFG] <alconet|1> selected proposal: 
ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Wed, 2017-11-22 18:24 12[CFG] <alconet|1> selecting traffic selectors for us:
Wed, 2017-11-22 18:24 12[CFG] <alconet|1>  config: 95.115.254.161/32, received: 
95.115.254.161/32 => match: 95.115.254.161/32
Wed, 2017-11-22 18:24 12[CFG] <alconet|1> selecting traffic selectors for other:
Wed, 2017-11-22 18:24 12[CFG] <alconet|1>  config: 0.0.0.0/0, received: 
0.0.0.0/0 => match: 0.0.0.0/0
Wed, 2017-11-22 18:24 12[CFG] <alconet|1>  config: ::/0, received: 0.0.0.0/0 => 
no match
Wed, 2017-11-22 18:24 12[CHD] <alconet|1> CHILD_SA alconet{1} state change: 
CREATED => INSTALLING
Wed, 2017-11-22 18:24 12[CHD] <alconet|1>   using AES_CBC for encryption
Wed, 2017-11-22 18:24 12[CHD] <alconet|1>   using HMAC_SHA2_256_128 for 
integrity
Wed, 2017-11-22 18:24 12[CHD] <alconet|1> adding inbound ESP SA
Wed, 2017-11-22 18:24 12[CHD] <alconet|1>   SPI 0xc5b4c087, src 95.115.254.165 
dst 10.198.54.208
Wed, 2017-11-22 18:24 12[CHD] <alconet|1> adding outbound ESP SA
Wed, 2017-11-22 18:24 12[CHD] <alconet|1>   SPI 0xc57212ba, src 10.198.54.208 
dst 95.115.254.165
Wed, 2017-11-22 18:24 12[CHD] <alconet|1> CHILD_SA alconet{1} state change: 
INSTALLING => INSTALLED
Wed, 2017-11-22 18:24 12[IKE] <alconet|1> CHILD_SA alconet{1} established with 
SPIs c5b4c087_i c57212ba_o and TS 95.115.254.161/32 === 0.0.0.0/0
Wed, 2017-11-22 18:24 12[CHD] <alconet|1> updown: + set -o nounset
Wed, 2017-11-22 18:24 12[CHD] <alconet|1> updown: + set -o errexit
Wed, 2017-11-22 18:24 12[CHD] <alconet|1> updown: + exec
Wed, 2017-11-22 18:24 12[CHD] <alconet|1> updown: + trap 'exec 2>&4 1>&3' 0 1 2 
3
Wed, 2017-11-22 18:24 12[CHD] <alconet|1> updown: + exec
Wed, 2017-11-22 18:24 05[KNL] interface vti1 activated
Wed, 2017-11-22 18:24 04[KNL] 95.115.254.161 appeared on vti1
Wed, 2017-11-22 18:24 12[IKE] <alconet|1> peer supports MOBIKE
Wed, 2017-11-22 18:24 12[IKE] <alconet|1> activating new tasks
Wed, 2017-11-22 18:24 12[IKE] <alconet|1> nothing to initiate
Wed, 2017-11-22 18:24 07[IKE] <alconet|1> keeping connection path 10.198.54.208 
- 95.115.254.165
Wed, 2017-11-22 18:24 07[IKE] <alconet|1> sending address list update using 
MOBIKE
Wed, 2017-11-22 18:24 07[IKE] <alconet|1> queueing IKE_MOBIKE task
Wed, 2017-11-22 18:24 07[IKE] <alconet|1> activating new tasks
Wed, 2017-11-22 18:24 07[IKE] <alconet|1>   activating IKE_MOBIKE task
Wed, 2017-11-22 18:24 07[ENC] <alconet|1> generating INFORMATIONAL request 6 [ 
N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Wed, 2017-11-22 18:24 07[NET] <alconet|1> sending packet: from 
10.198.54.208[4500] to 95.115.254.165[4500] (96 bytes)
Wed, 2017-11-22 18:24 10[NET] <alconet|1> received packet: from 
95.115.254.165[4500] to 10.198.54.208[4500] (80 bytes)
Wed, 2017-11-22 18:24 10[ENC] <alconet|1> parsed INFORMATIONAL response 6 [ ]
Wed, 2017-11-22 18:24 10[IKE] <alconet|1> activating new tasks
Wed, 2017-11-22 18:24 10[IKE] <alconet|1> nothing to initiate

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP 
qlen 1000
    link/ether 52:54:00:ff:11:9b brd ff:ff:ff:ff:ff:ff
    inet 10.198.54.208/24 brd 10.198.54.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:feff:119b/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP 
qlen 1000
    link/ether 52:54:00:d5:dd:1c brd ff:ff:ff:ff:ff:ff
    inet 10.248.43.15/24 brd 10.248.43.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fed5:dd1c/64 scope link 
       valid_lft forever preferred_lft forever
4: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
    link/ipip 0.0.0.0 brd 0.0.0.0
24: vti1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state 
UNKNOWN qlen 1
    link/ipip 10.198.54.208 peer 95.115.254.165
    inet 95.115.254.161/32 scope global vti1
       valid_lft forever preferred_lft forever

# ipsec.conf - strongSwan IPsec configuration file

config setup
  charondebug = ike 3, cfg 3

conn %default
  keyexchange=ikev2
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  rekey=no
  dpdaction=restart
  dpddelay=30s
  compress=yes
  auto=start

conn alconet
  leftupdown=/usr/local/sbin/ipsec-notify.sh
  left=%defaultroute
  leftauth=eap
  leftsourceip=%config4,%config6
  rightauth=pubkey
  rightsubnet=0.0.0.0/0,::/0
  eap_identity=%identity
  leftid=bmanovic
  right=ipsec.domena.sk
  [email protected]
  mark=38

#!/bin/bash
set -x
set -o nounset
set -o errexit

exec 3>&1 4>&2
trap 'exec 2>&4 1>&3' 0 1 2 3
exec 1>/log.out 2>&1

VTI_IF="vti${PLUTO_UNIQUEID}"

case "${PLUTO_VERB}" in
    up-client)
        ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote "${PLUTO_PEER}" mode vti \
		key "${PLUTO_MARK_OUT%%/*}" ikey "${PLUTO_MARK_IN%%/*}"
        ip link set "${VTI_IF}" up
        ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_IF}"
	ip route add 195.210.28.0/24 dev "${VTI_IF}" 
        sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
        ;;
    down-client)
        ip tunnel del "${VTI_IF}"
        ;;
esac

firewall is disabled. no rules when running iptables-save

vti1: ip/ip  remote 95.115.254.165  local 10.198.54.208  ttl inherit  key 38
RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts
    0          0            432    0        0        0       
TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs
    413        73514        0      0        0        0     
ip_vti0: ip/ip  remote any  local any  ttl inherit  nopmtudisc key 0
RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts
    0          0            0      0        0        0       
TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs
    0          0            0      0        0        0     

default via 10.198.54.1 dev eth0 proto static metric 100 
10.198.54.0/24 dev eth0 proto kernel scope link src 10.198.54.208 metric 100 
10.248.43.0/24 dev eth1 proto kernel scope link src 10.248.43.15 metric 100 
195.210.28.0/24 dev vti1 scope link 
broadcast 10.198.54.0 dev eth0 table local proto kernel scope link src 
10.198.54.208 
local 10.198.54.208 dev eth0 table local proto kernel scope host src 
10.198.54.208 
broadcast 10.198.54.255 dev eth0 table local proto kernel scope link src 
10.198.54.208 
broadcast 10.248.43.0 dev eth1 table local proto kernel scope link src 
10.248.43.15 
local 10.248.43.15 dev eth1 table local proto kernel scope host src 
10.248.43.15 
broadcast 10.248.43.255 dev eth1 table local proto kernel scope link src 
10.248.43.15 
local 95.115.254.161 dev vti1 table local proto kernel scope host src 
95.115.254.161 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 
127.0.0.1 
unreachable default dev lo table unspec proto kernel metric 4294967295 error 
-101 
unreachable ::/96 dev lo metric 1024 error -113 
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 
unreachable 2002:a00::/24 dev lo metric 1024 error -113 
unreachable 2002:7f00::/24 dev lo metric 1024 error -113 
unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 
unreachable 2002:ac10::/28 dev lo metric 1024 error -113 
unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 
unreachable 2002:e000::/19 dev lo metric 1024 error -113 
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 
fe80::/64 dev eth0 proto kernel metric 256 
fe80::/64 dev eth1 proto kernel metric 256 
unreachable default dev lo table unspec proto kernel metric 4294967295 error 
-101 
local ::1 dev lo table local proto none metric 0 
local fe80::5054:ff:fed5:dd1c dev lo table local proto none metric 0 
local fe80::5054:ff:feff:119b dev lo table local proto none metric 0 
ff00::/8 dev eth0 table local metric 256 
ff00::/8 dev eth1 table local metric 256 
unreachable default dev lo table unspec proto kernel metric 4294967295 error 
-101 

Status of IKE charon daemon (strongSwan 5.5.3, Linux 3.10.0-693.5.2.el7.x86_64, 
x86_64):
  uptime: 67 seconds, since Nov 22 18:24:44 2017
  malloc: sbrk 2854912, mmap 0, used 562704, free 2292208
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 2
  loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 
revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem 
openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr 
kernel-netlink resolve socket-default farp stroke vici updown eap-identity 
eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap 
xauth-pam xauth-noauth dhcp unity
Listening IP addresses:
  10.198.54.208
  10.248.43.15
  95.115.254.161
Connections:
     alconet:  %any...ipsec.domena.sk  IKEv2, dpddelay=30s
     alconet:   local:  [bmanovic] uses EAP authentication with EAP identity 
'%any'
     alconet:   remote: [ipsec.domena.sk] uses public key authentication
     alconet:   child:  dynamic === 0.0.0.0/0 ::/0 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
     alconet[1]: ESTABLISHED 67 seconds ago, 
10.198.54.208[bmanovic]...95.115.254.165[ipsec.domena.sk]
     alconet[1]: IKEv2 SPIs: 6f13473e65cc0d68_i* 8b1aea928aa59f1e_r, rekeying 
disabled
     alconet[1]: IKE proposal: 
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
     alconet{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c5b4c087_i 
c57212ba_o, IPCOMP CPIs: 86dd_i 2255_o
     alconet{1}:  AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 5712 bytes_o (68 
pkts, 0s ago), rekeying disabled
     alconet{1}:   95.115.254.161/32 === 0.0.0.0/0

src 95.115.254.161/32 dst 0.0.0.0/0 
        dir out priority 383615 ptype main 
        mark 38/0xffffffff
        tmpl src 10.198.54.208 dst 95.115.254.165
                proto comp reqid 1 mode tunnel
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 1 mode transport
src 0.0.0.0/0 dst 95.115.254.161/32 
        dir fwd priority 383615 ptype main 
        mark 38/0xffffffff
        tmpl src 95.115.254.165 dst 10.198.54.208
                proto comp reqid 1 mode tunnel
                level use 
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 1 mode transport
src 0.0.0.0/0 dst 95.115.254.161/32 
        dir in priority 383615 ptype main 
        mark 38/0xffffffff
        tmpl src 95.115.254.165 dst 10.198.54.208
                proto comp reqid 1 mode tunnel
                level use 
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 1 mode transport
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket out priority 0 ptype main 
src ::/0 dst ::/0 
        socket in priority 0 ptype main 
src ::/0 dst ::/0 
        socket out priority 0 ptype main 
src ::/0 dst ::/0 
        socket in priority 0 ptype main 
src ::/0 dst ::/0 
        socket out priority 0 ptype main 






















					Reply via email to