[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: [Openswan Users] ipsec policy - only OUT
From: Peter <pit11 () ukr ! net>
Date: 2013-05-30 20:42:15
Message-ID: A0A9B2FD-79AB-4408-AB47-C9B11FE8BEB0 () ukr ! net
[Download RAW message or body]
Hi All!
CentOS 6.3
kernel 2.6.32-279.9.1.el6.local.x86_64 with SAref
openswan-2.6.38
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.13.0.0/16,%v4:!192.168.18.0/24
oe=off \
protostack=mast \
uniqueids=no \
interfaces=%defaultroute
conn hpc
dpddelay=30
dpdtimeout=120
dpdaction=restart
ike=aes256-sha1;modp1024
ikelifetime=86400s
authby=secret
phase2=esp
phase2alg=aes256-sha1
ikev2=no
type=tunnel
salifetime=3600s
pfs=yes
left=85.238.xxx.xxx
leftsubnet=192.168.18.0/24
right=85.182.zzz.zzz
rightsubnet=192.168.165.0/24
sareftrack=yes
auto=start
ipsec auto --status
000 using kernel interface: mast
000 interface mast0/eth0 192.168.18.1
000 interface mast0/eth0 192.168.18.1
000 interface mast0/eth1 85.238.xxx.xxx
000 interface mast0/eth1 85.238.xxx.xxx
000 interface mast0/eth2 85.238.yyy.yyy
000 interface mast0/eth2 85.238.yyy.yyy
000 interface mast0/eth0.1113 10.13.0.1
000 interface mast0/eth0.1113 10.13.0.1
000 interface mast0/eth0.1114 10.14.0.1
000 interface mast0/eth0.1114 10.14.0.1
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, \
fd00::/8, fe80::/10 000 - disallowed 2 subnets: 10.13.0.0/16, 192.168.18.0/24 \
000 \
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, \
keysizemax=192 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=64, \
keysizemin=128, keysizemax=128 000 algorithm ESP encrypt: id=7, \
name=ESP_BLOWFISH, ivlen=64, keysizemin=96, keysizemax=448 000 algorithm ESP \
encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256 000 \
algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=128, keysizemin=128, \
keysizemax=256 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=128, \
keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, \
name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP \
auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 \
algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, \
keysizemax=128 000 \
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 \
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 \
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 \
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 \
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32 \
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64 \
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 \
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 \
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 \
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 \
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 \
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 \
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 \
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024 \
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048 \
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048 \
000 \
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,32,64} trans={0,32,648} \
attrs={0,32,432} 000
000 "hpc": 192.168.18.0/24===85.238.xxx.xxx<85.238.xxx.xxx>…85.182.zzz.zzz<85.182.zzz.zzz>===192.168.165.0/24; \
erouted; eroute owner: #34 000 "hpc": myip=unset; hisip=unset;
000 "hpc": ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: \
100%; keyingtries: 0 000 "hpc": policy: \
PSK+ENCRYPT+TUNNEL+PFS+UP+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth1; 000 \
"hpc": dpd: action:restart; delay:30; timeout:120; 000 "hpc": newest ISAKMP SA: \
#35; newest IPsec SA: #34; 000 "hpc": IKE algorithms wanted: \
AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict 000 "hpc": IKE algorithms \
found: AES_CBC(7)_256-SHA1(2)_160-MODP1024(2) 000 "hpc": IKE algorithm newest: \
AES_CBC_256-SHA1-MODP1024 000 "hpc": ESP algorithms wanted: \
AES(12)_256-SHA1(2)_000; flags=-strict 000 "hpc": ESP algorithms loaded: \
AES(12)_256-SHA1(2)_160 000 "hpc": ESP algorithm newest: AES_256-HMAC_SHA1; \
pfsgroup=<Phase1> 000
000 #35: "hpc":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 85475s; \
newest ISAKMP; lastdpd=28s(seq in:14775 out:0); idle; import:admin initiate 000 #34: \
"hpc":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 329s; \
newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 000 #34: "hpc" \
esp.6b38386c@85.182.zzz.zzz esp.4ab1e66@85.238.xxx.xxx tun.103d@85.182.zzz.zzz \
tun.103e@85.238.xxx.xxx ref=125 refhim=123 000 #1: "hpc":500 STATE_MAIN_I4 (ISAKMP SA \
established); EVENT_SA_EXPIRE in 570s; lastdpd=238s(seq in:7283 out:0); idle; \
import:admin initiate 000
service ipsec status
IPsec running - pluto pid: 5724
pluto pid 5724
No tunnels up
ipsec policy
stack: mast
OUT 0 192.168.18.0/24 -> 192.168.165.0/24 \
tun0x103d@85.182.zzz.zzz ref:123 him:0 OUT 0 192.168.18.0/24 -> \
192.168.165.0/24 tun0x103f@85.182.zzz.zzz ref:127 him:0
ping -I eth0 192.168.165.226
PING 192.168.165.226 (192.168.165.226) from 192.168.18.1 eth0: 56(84) bytes of data.
64 bytes from 192.168.165.226: icmp_seq=1 ttl=126 time=43.5 ms
64 bytes from 192.168.165.226: icmp_seq=2 ttl=126 time=42.6 ms
64 bytes from 192.168.165.226: icmp_seq=3 ttl=126 time=42.4 ms
Questions:
1. Why - "No tunnels up" ?
2. Why - policy is only OUT ? Where IN ?
3. Other side can't send to me echo requests, but I can… Why ?
Peter
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic