[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: [Openswan Users] Questions with our real config this time ;-)
From: alet () librelogiciel ! com
Date: 2012-03-23 5:02:37
Message-ID: 20120323050237.GA21971 () vazy ! pykota ! com
[Download RAW message or body]
Hi there,
Here at University of New-Caledonia we've got a Debian squeeze box with
openswan 1:2.6.28+dfsg-5+squeeze1 on a public IP address, serving
roadwarriors with the help of xl2tpd.
This works fine.
Now we've got a distant site on Wallis Island that we want to connect in
tunnel mode to our gateway, so some of our internal networks
(10.0.0.0/8) are visible from the remote internal network
(192.168.3.x/24), and both ways of course.
Our configuration looks correct to me, but when from the Wallis site I
ping an internal IP address in New-Caledonia, I can see the packets
coming through the VPN from Wallis to New-Caledonia's openswan gw :
14:56:07.142816 IP 117.20.37.70.4500 > 194.254.189.254.4500: UDP-encap:
ESP(spi=0x818d315d,seq=0x2), length 132
14:56:07.142816 IP 192.168.3.250 > 10.10.0.3: ICMP echo request, id
3290, seq 2, length 64
14:56:08.132701 IP 194.254.189.251 > 224.0.0.18: VRRPv2, Advertisement,
vrid 20, prio 100, authtype none, intvl 1s, length 36
14:56:08.143350 IP 117.20.37.70.4500 > 194.254.189.254.4500: UDP-encap:
ESP(spi=0x818d315d,seq=0x3), length 132
14:56:08.143350 IP 192.168.3.250 > 10.10.0.3: ICMP echo request, id
3290, seq 3, length 64
14:56:09.142281 IP 117.20.37.70.4500 > 194.254.189.254.4500: UDP-encap:
ESP(spi=0x818d315d,seq=0x4), length 132
14:56:09.142281 IP 192.168.3.250 > 10.10.0.3: ICMP echo request, id
3290, seq 4, length 64
14:56:09.542667 IP 194.254.189.251 > 224.0.0.18: VRRPv2, Advertisement,
vrid 20, prio 100, authtype none, intvl 1s, length 36
14:56:10.145066 IP 117.20.37.70.4500 > 194.254.189.254.4500: UDP-encap:
ESP(spi=0x818d315d,seq=0x5), length 132
14:56:10.145066 IP 192.168.3.250 > 10.10.0.3: ICMP echo request, id
3290, seq 5, length 64
14:56:10.952701 IP 194.254.189.251 > 224.0.0.18: VRRPv2, Advertisement,
vrid 20, prio 100, authtype none, intvl 1s, length 36
14:56:11.142272 IP 117.20.37.70.4500 > 194.254.189.254.4500: UDP-encap:
ESP(spi=0x818d315d,seq=0x6), length 132
14:56:11.142272 IP 192.168.3.250 > 10.10.0.3: ICMP echo request, id
3290, seq 6, length 64
But once on our local vpn gateway the packets seem to be lost, and never
reach the internal IP address. There's no icmp echo reply either.
Our gateway is configured to forward packets, and in fact it works for
all our roadwarriors, for which an IP address is assigned through xl2tpd
in the 10.10.66.0/24 range.
Wallis' openswan GW's internal IP is 192.168.3.250, it's ADSL / NAT
modem is 192.168.3.254, and the modem's external address is 117.20.37.70
Wallis gw's config :
--- CUT ---
config setup
nat_traversal=yes
oe=off
protostack=netkey
interfaces=%defaultroute
uniqueids=yes
nhelpers=0
conn %default
keyingtries=5
compress=no
authby=rsasig
leftca=%same
leftrsasigkey=%cert
rightrsasigkey=%cert
rightsendcert=always
conn UNC
type=tunnel
left=194.254.189.254
leftsubnets={10.10.0.0/24 10.10.10.0/23 10.10.20.0/24 10.10.30.0/23}
leftid=@gwvpn.univ-nc.nc
rightcert=/etc/ipsec.d/certs/certificat-utilisateur.pem
right=%defaultroute
rightsubnet=192.168.3.0/24
pfs=yes
forceencaps=no
dpdaction=restart
auto=add
--- CUT ---
New-Caledonia gw's config :
--- CUT ---
config setup
nat_traversal=yes
nhelpers=0
plutodebug="none"
uniqueids=yes
oe=off
protostack=netkey
interfaces=%defaultroute
# 10.10.66.0/24 is assigned to roadwarriors through xl2tpd
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.10.66.0/24
conn %default
rekey=no
dpdaction=clear
dpddelay=30
dpdtimeout=120
compress=no
disablearrivalcheck=no
authby=rsasig
leftid=@gwvpn.univ-nc.nc
leftcert=/etc/ipsec.d/certs/gwvpn.univ-nc.nc.pem
leftrsasigkey=%cert
leftsendcert=always
rightrsasigkey=%cert
rightca=%same
conn UNC-l2tp
leftprotoport=17/1701
rightprotoport=17/%any
also=UNC
conn UNC-all
leftsubnet=0.0.0.0/0
also=UNC
conn UNC
left=%defaultroute
right=%any
rightsubnet=vhost:%priv,%no
pfs=no
auto=add
--- CUT ---
Attached to this message you'll find the output of "ipsec auto --status"
and "ip xfrm state" on both sides.
On our internal (NC) router/firewall we've added a static route to
192.168.3.0/24 through our vpn gateway, so from my (biased) point of
view it should just work.
What have I done wrong ?
Thanks in advance for any help on this subject.
FYI ping's latency is always > 550 ms due to the satellite link between
Australia and Wallis. New-Caledonia to Australia is fiber. Could this
impact the situation and/or what are the best parameters in openswan to
ensure the best end user experience ?
--
Jerome Alet
Wallis side :
=============
$ ipsec auto --status
000 "UNC/1x0": 192.168.3.0/24===192.168.3.250[C=NC, ST=Province Sud, O=Universite de \
la Nouvelle-Caledonie, OU=Antenne de Wallis, \
CN=wallis,+S=C]...194.254.189.254<194.254.189.254>[@gwvpn.univ-nc.nc,+S=C]===10.10.0.0/24; \
erouted; eroute owner: #2 000 "UNC/1x0": myip=unset; hisip=unset; \
mycert=/etc/ipsec.d/certs/certificat-utilisateur.pem; 000 "UNC/1x0": CAs: 'C=NC, \
ST=Province Sud, L=Noumea, O=Universite de la Nouvelle-Caledonie, OU=Centre de \
Ressources Informatiques, CN=RSSI, E=rssi@univ-nc.nc'...'C=NC, ST=Province Sud, \
L=Noumea, O=Universite de la Nouvelle-Caledonie, OU=Centre de Ressources \
Informatiques, CN=RSSI, E=rssi@univ-nc.nc' 000 "UNC/1x0": ike_life: 3600s; \
ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5 000 \
"UNC/1x0": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW; prio: 24,24; interface: \
eth0; 000 "UNC/1x0": newest ISAKMP SA: #0; newest IPsec SA: #2;
000 "UNC/1x0": aliases: UNC
000 "UNC/2x0": 192.168.3.0/24===192.168.3.250[C=NC, ST=Province Sud, O=Universite de \
la Nouvelle-Caledonie, OU=Antenne de Wallis, \
CN=wallis,+S=C]...194.254.189.254<194.254.189.254>[@gwvpn.univ-nc.nc,+S=C]===10.10.10.0/23; \
erouted; eroute owner: #3 000 "UNC/2x0": myip=unset; hisip=unset; \
mycert=/etc/ipsec.d/certs/certificat-utilisateur.pem; 000 "UNC/2x0": CAs: 'C=NC, \
ST=Province Sud, L=Noumea, O=Universite de la Nouvelle-Caledonie, OU=Centre de \
Ressources Informatiques, CN=RSSI, E=rssi@univ-nc.nc'...'C=NC, ST=Province Sud, \
L=Noumea, O=Universite de la Nouvelle-Caledonie, OU=Centre de Ressources \
Informatiques, CN=RSSI, E=rssi@univ-nc.nc' 000 "UNC/2x0": ike_life: 3600s; \
ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5 000 \
"UNC/2x0": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW; prio: 23,24; interface: \
eth0; 000 "UNC/2x0": newest ISAKMP SA: #0; newest IPsec SA: #3;
000 "UNC/2x0": aliases: UNC
000 "UNC/3x0": 192.168.3.0/24===192.168.3.250[C=NC, ST=Province Sud, O=Universite de \
la Nouvelle-Caledonie, OU=Antenne de Wallis, \
CN=wallis,+S=C]...194.254.189.254<194.254.189.254>[@gwvpn.univ-nc.nc,+S=C]===10.10.20.0/24; \
erouted; eroute owner: #4 000 "UNC/3x0": myip=unset; hisip=unset; \
mycert=/etc/ipsec.d/certs/certificat-utilisateur.pem; 000 "UNC/3x0": CAs: 'C=NC, \
ST=Province Sud, L=Noumea, O=Universite de la Nouvelle-Caledonie, OU=Centre de \
Ressources Informatiques, CN=RSSI, E=rssi@univ-nc.nc'...'C=NC, ST=Province Sud, \
L=Noumea, O=Universite de la Nouvelle-Caledonie, OU=Centre de Ressources \
Informatiques, CN=RSSI, E=rssi@univ-nc.nc' 000 "UNC/3x0": ike_life: 3600s; \
ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5 000 \
"UNC/3x0": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW; prio: 24,24; interface: \
eth0; 000 "UNC/3x0": newest ISAKMP SA: #0; newest IPsec SA: #4;
000 "UNC/3x0": aliases: UNC
000 "UNC/4x0": 192.168.3.0/24===192.168.3.250[C=NC, ST=Province Sud, O=Universite de \
la Nouvelle-Caledonie, OU=Antenne de Wallis, \
CN=wallis,+S=C]...194.254.189.254<194.254.189.254>[@gwvpn.univ-nc.nc,+S=C]===10.10.30.0/23; \
erouted; eroute owner: #5 000 "UNC/4x0": myip=unset; hisip=unset; \
mycert=/etc/ipsec.d/certs/certificat-utilisateur.pem; 000 "UNC/4x0": CAs: 'C=NC, \
ST=Province Sud, L=Noumea, O=Universite de la Nouvelle-Caledonie, OU=Centre de \
Ressources Informatiques, CN=RSSI, E=rssi@univ-nc.nc'...'C=NC, ST=Province Sud, \
L=Noumea, O=Universite de la Nouvelle-Caledonie, OU=Centre de Ressources \
Informatiques, CN=RSSI, E=rssi@univ-nc.nc' 000 "UNC/4x0": ike_life: 3600s; \
ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5 000 \
"UNC/4x0": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW; prio: 23,24; interface: \
eth0; 000 "UNC/4x0": newest ISAKMP SA: #1; newest IPsec SA: #5;
000 "UNC/4x0": aliases: UNC
000 "UNC/4x0": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #2: "UNC/1x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); \
EVENT_SA_REPLACE in 28025s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin \
initiate 000 #2: "UNC/1x0" esp.818d315d@194.254.189.254 esp.aac075ea@192.168.3.250 \
tun.0@194.254.189.254 tun.0@192.168.3.250 ref=0 refhim=4294901761 000 #3: \
"UNC/2x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in \
27810s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 000 #3: \
"UNC/2x0" esp.57a0193f@194.254.189.254 esp.8b3101cc@192.168.3.250 \
tun.0@194.254.189.254 tun.0@192.168.3.250 ref=0 refhim=4294901761 000 #4: \
"UNC/3x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in \
28200s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 000 #4: \
"UNC/3x0" esp.b4f3797e@194.254.189.254 esp.7086d00a@192.168.3.250 \
tun.0@194.254.189.254 tun.0@192.168.3.250 ref=0 refhim=4294901761 000 #5: \
"UNC/4x0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in \
27941s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 000 #5: \
"UNC/4x0" esp.c4ccb419@194.254.189.254 esp.c61c4dfa@192.168.3.250 \
tun.0@194.254.189.254 tun.0@192.168.3.250 ref=0 refhim=4294901761 000 #1: \
"UNC/4x0":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2864s; \
newest ISAKMP; lastdpd=18s(seq in:0 out:0); idle; import:admin initiate 000
$ ip xfrm state
src 194.254.189.254 dst 192.168.3.250
proto esp spi 0xc61c4dfa reqid 16397 mode tunnel
replay-window 32 flag af-unspec
auth hmac(sha1) 0x23caba6b46ac8b634744765569dcadd49eacc695
enc cbc(aes) 0x4449acd499d62b3ab45d17e188f04219
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.3.250 dst 194.254.189.254
proto esp spi 0xc4ccb419 reqid 16397 mode tunnel
replay-window 32 flag af-unspec
auth hmac(sha1) 0x6ac4c5f1e65e013d7f6058fc6d9c9a64801f27cd
enc cbc(aes) 0x3caed116bfff4d757e12e9ef781a3a22
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 194.254.189.254 dst 192.168.3.250
proto esp spi 0x7086d00a reqid 16393 mode tunnel
replay-window 32 flag af-unspec
auth hmac(sha1) 0x5adb99f84f068b5f0f57db14728983b960fc574b
enc cbc(aes) 0xaac446a28ec2f08bf109aecf594ebf6c
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.3.250 dst 194.254.189.254
proto esp spi 0xb4f3797e reqid 16393 mode tunnel
replay-window 32 flag af-unspec
auth hmac(sha1) 0x51bd6bb4ffa6972a20b60805b42dd55c619e8f86
enc cbc(aes) 0xbd87096dd8d9d5b3a8a3e4c0ad9b5e11
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 194.254.189.254 dst 192.168.3.250
proto esp spi 0x8b3101cc reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth hmac(sha1) 0x8539d1e750718dc570542af782646a3ada5d538f
enc cbc(aes) 0x59aa93109f6a304fed3f1ce4a2ca372f
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.3.250 dst 194.254.189.254
proto esp spi 0x57a0193f reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth hmac(sha1) 0xde8000543391049e2fb3ea1b42dbfce01e12d629
enc cbc(aes) 0x9822f7b2266b2e52d8e93d3a0d531345
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 194.254.189.254 dst 192.168.3.250
proto esp spi 0xaac075ea reqid 16385 mode tunnel
replay-window 32 flag af-unspec
auth hmac(sha1) 0xfcc931d362a869af44a166e2d15a428126e3a2fa
enc cbc(aes) 0xff6de564bc7429b11c9f11057527e9dc
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.3.250 dst 194.254.189.254
proto esp spi 0x818d315d reqid 16385 mode tunnel
replay-window 32 flag af-unspec
auth hmac(sha1) 0x112b659e4c6ae3d1bce3fe992c061d7256efcd49
enc cbc(aes) 0xaf6abbc090cf34a0e7bdb1ce55831ab6
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
New-Caledonia side :
====================
$ ipsec auto --status
000 "UNC": 194.254.189.254[@gwvpn.univ-nc.nc,+S=C]...%virtual[+S=C]===?; unrouted; \
eroute owner: #0 000 "UNC": myip=unset; hisip=unset; \
mycert=/etc/ipsec.d/certs/gwvpn.univ-nc.nc.pem; 000 "UNC": CAs: 'C=NC, ST=Province \
Sud, L=Noumea, O=Universite de la Nouvelle-Caledonie, OU=Centre de Ressources \
Informatiques, CN=RSSI, E=rssi@univ-nc.nc'...'C=NC, ST=Province Sud, L=Noumea, \
O=Universite de la Nouvelle-Caledonie, OU=Centre de Ressources Informatiques, \
CN=RSSI, E=rssi@univ-nc.nc' 000 "UNC": ike_life: 3600s; ipsec_life: 28800s; \
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "UNC": policy: \
RSASIG+ENCRYPT+TUNNEL+DONTREKEY+IKEv2ALLOW; prio: 32,32; interface: eth0; 000 "UNC": \
dpd: action:clear; delay:30; timeout:120; 000 "UNC": newest ISAKMP SA: #0; newest \
IPsec SA: #0; 000 "UNC-all": \
0.0.0.0/0===194.254.189.254[@gwvpn.univ-nc.nc,+S=C]...%virtual[+S=C]===?; unrouted; \
eroute owner: #0 000 "UNC-all": myip=unset; hisip=unset; \
mycert=/etc/ipsec.d/certs/gwvpn.univ-nc.nc.pem; 000 "UNC-all": CAs: 'C=NC, \
ST=Province Sud, L=Noumea, O=Universite de la Nouvelle-Caledonie, OU=Centre de \
Ressources Informatiques, CN=RSSI, E=rssi@univ-nc.nc'...'C=NC, ST=Province Sud, \
L=Noumea, O=Universite de la Nouvelle-Caledonie, OU=Centre de Ressources \
Informatiques, CN=RSSI, E=rssi@univ-nc.nc' 000 "UNC-all": ike_life: 3600s; \
ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 \
"UNC-all": policy: RSASIG+ENCRYPT+TUNNEL+DONTREKEY+IKEv2ALLOW; prio: 0,32; \
interface: eth0; 000 "UNC-all": dpd: action:clear; delay:30; timeout:120;
000 "UNC-all": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "UNC-l2tp": 194.254.189.254[@gwvpn.univ-nc.nc,+S=C]:17/1701...%virtual[+S=C]:17/%any===?; \
unrouted; eroute owner: #0 000 "UNC-l2tp": myip=unset; hisip=unset; \
mycert=/etc/ipsec.d/certs/gwvpn.univ-nc.nc.pem; 000 "UNC-l2tp": CAs: 'C=NC, \
ST=Province Sud, L=Noumea, O=Universite de la Nouvelle-Caledonie, OU=Centre de \
Ressources Informatiques, CN=RSSI, E=rssi@univ-nc.nc'...'C=NC, ST=Province Sud, \
L=Noumea, O=Universite de la Nouvelle-Caledonie, OU=Centre de Ressources \
Informatiques, CN=RSSI, E=rssi@univ-nc.nc' 000 "UNC-l2tp": ike_life: 3600s; \
ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 \
"UNC-l2tp": policy: RSASIG+ENCRYPT+TUNNEL+DONTREKEY+IKEv2ALLOW; prio: 32,32; \
interface: eth0; 000 "UNC-l2tp": dpd: action:clear; delay:30; timeout:120;
000 "UNC-l2tp": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "UNC-l2tp"[2]: 194.254.189.254[@gwvpn.univ-nc.nc,+S=C]:17/1701...117.20.37.70[C=NC, \
ST=Province Sud, O=Universite de la Nouvelle-Caledonie, OU=Antenne de Wallis, \
CN=wallis,+S=C]:17/0===192.168.3.0/24; erouted; eroute owner: #5 000 "UNC-l2tp"[2]: \
myip=unset; hisip=unset; mycert=/etc/ipsec.d/certs/gwvpn.univ-nc.nc.pem; 000 \
"UNC-l2tp"[2]: CAs: 'C=NC, ST=Province Sud, L=Noumea, O=Universite de la \
Nouvelle-Caledonie, OU=Centre de Ressources Informatiques, CN=RSSI, \
E=rssi@univ-nc.nc'...'C=NC, ST=Province Sud, L=Noumea, O=Universite de la \
Nouvelle-Caledonie, OU=Centre de Ressources Informatiques, CN=RSSI, \
E=rssi@univ-nc.nc' 000 "UNC-l2tp"[2]: ike_life: 3600s; ipsec_life: 28800s; \
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "UNC-l2tp"[2]: policy: \
RSASIG+ENCRYPT+TUNNEL+DONTREKEY+IKEv2ALLOW; prio: 32,32; interface: eth0; 000 \
"UNC-l2tp"[2]: dpd: action:clear; delay:30; timeout:120; 000 "UNC-l2tp"[2]: \
newest ISAKMP SA: #1; newest IPsec SA: #5; 000 "UNC-l2tp"[2]: IKE algorithm \
newest: AES_CBC_128-SHA1-MODP2048 000
000 #5: "UNC-l2tp"[2] 117.20.37.70:4500 STATE_QUICK_R2 (IPsec SA established); \
EVENT_SA_EXPIRE in 28789s; newest IPSEC; eroute owner; isakmp#1; idle; import:not set \
000 #5: "UNC-l2tp"[2] 117.20.37.70 esp.c61c4dfa@117.20.37.70 \
esp.c4ccb419@194.254.189.254 tun.0@117.20.37.70 tun.0@194.254.189.254 ref=0 \
refhim=4294901761 000 #4: "UNC-l2tp"[2] 117.20.37.70:4500 STATE_QUICK_R2 (IPsec SA \
established); EVENT_SA_EXPIRE in 28789s; isakmp#1; idle; import:not set 000 #4: \
"UNC-l2tp"[2] 117.20.37.70 esp.7086d00a@117.20.37.70 esp.b4f3797e@194.254.189.254 \
tun.0@117.20.37.70 tun.0@194.254.189.254 ref=0 refhim=4294901761 000 #3: \
"UNC-l2tp"[2] 117.20.37.70:4500 STATE_QUICK_R2 (IPsec SA established); \
EVENT_SA_EXPIRE in 28789s; isakmp#1; idle; import:not set 000 #3: "UNC-l2tp"[2] \
117.20.37.70 esp.8b3101cc@117.20.37.70 esp.57a0193f@194.254.189.254 \
tun.0@117.20.37.70 tun.0@194.254.189.254 ref=0 refhim=4294901761 000 #2: \
"UNC-l2tp"[2] 117.20.37.70:4500 STATE_QUICK_R2 (IPsec SA established); \
EVENT_SA_EXPIRE in 28789s; isakmp#1; idle; import:not set 000 #2: "UNC-l2tp"[2] \
117.20.37.70 esp.aac075ea@117.20.37.70 esp.818d315d@194.254.189.254 \
tun.0@117.20.37.70 tun.0@194.254.189.254 ref=0 refhim=4294901761 000 #1: \
"UNC-l2tp"[2] 117.20.37.70:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); \
EVENT_SA_EXPIRE in 3587s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; \
import:not set 000
$ ip xfrm state
src 194.254.189.254 dst 117.20.37.70
proto esp spi 0xaac075ea reqid 16401 mode tunnel
replay-window 32 flag af-unspec
auth hmac(sha1) 0xfcc931d362a869af44a166e2d15a428126e3a2fa
enc cbc(aes) 0xff6de564bc7429b11c9f11057527e9dc
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 117.20.37.70 dst 194.254.189.254
proto esp spi 0x818d315d reqid 16401 mode tunnel
replay-window 32 flag af-unspec
auth hmac(sha1) 0x112b659e4c6ae3d1bce3fe992c061d7256efcd49
enc cbc(aes) 0xaf6abbc090cf34a0e7bdb1ce55831ab6
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 194.254.189.254 dst 117.20.37.70
proto esp spi 0x8b3101cc reqid 16401 mode tunnel
replay-window 32 flag af-unspec
auth hmac(sha1) 0x8539d1e750718dc570542af782646a3ada5d538f
enc cbc(aes) 0x59aa93109f6a304fed3f1ce4a2ca372f
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 117.20.37.70 dst 194.254.189.254
proto esp spi 0x57a0193f reqid 16401 mode tunnel
replay-window 32 flag af-unspec
auth hmac(sha1) 0xde8000543391049e2fb3ea1b42dbfce01e12d629
enc cbc(aes) 0x9822f7b2266b2e52d8e93d3a0d531345
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 194.254.189.254 dst 117.20.37.70
proto esp spi 0x7086d00a reqid 16401 mode tunnel
replay-window 32 flag af-unspec
auth hmac(sha1) 0x5adb99f84f068b5f0f57db14728983b960fc574b
enc cbc(aes) 0xaac446a28ec2f08bf109aecf594ebf6c
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 117.20.37.70 dst 194.254.189.254
proto esp spi 0xb4f3797e reqid 16401 mode tunnel
replay-window 32 flag af-unspec
auth hmac(sha1) 0x51bd6bb4ffa6972a20b60805b42dd55c619e8f86
enc cbc(aes) 0xbd87096dd8d9d5b3a8a3e4c0ad9b5e11
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 194.254.189.254 dst 117.20.37.70
proto esp spi 0xc61c4dfa reqid 16401 mode tunnel
replay-window 32 flag af-unspec
auth hmac(sha1) 0x23caba6b46ac8b634744765569dcadd49eacc695
enc cbc(aes) 0x4449acd499d62b3ab45d17e188f04219
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 117.20.37.70 dst 194.254.189.254
proto esp spi 0xc4ccb419 reqid 16401 mode tunnel
replay-window 32 flag af-unspec
auth hmac(sha1) 0x6ac4c5f1e65e013d7f6058fc6d9c9a64801f27cd
enc cbc(aes) 0x3caed116bfff4d757e12e9ef781a3a22
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic