[Openswan Users] ipsec policy - only OUT
Peter
pit11 at ukr.net
Thu May 30 20:42:15 UTC 2013
Hi All!
CentOS 6.3
kernel 2.6.32-279.9.1.el6.local.x86_64 with SAref
openswan-2.6.38
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.13.0.0/16,%v4:!192.168.18.0/24
oe=off
protostack=mast
uniqueids=no
interfaces=%defaultroute
conn hpc
dpddelay=30
dpdtimeout=120
dpdaction=restart
ike=aes256-sha1;modp1024
ikelifetime=86400s
authby=secret
phase2=esp
phase2alg=aes256-sha1
ikev2=no
type=tunnel
salifetime=3600s
pfs=yes
left=85.238.xxx.xxx
leftsubnet=192.168.18.0/24
right=85.182.zzz.zzz
rightsubnet=192.168.165.0/24
sareftrack=yes
auto=start
ipsec auto --status
000 using kernel interface: mast
000 interface mast0/eth0 192.168.18.1
000 interface mast0/eth0 192.168.18.1
000 interface mast0/eth1 85.238.xxx.xxx
000 interface mast0/eth1 85.238.xxx.xxx
000 interface mast0/eth2 85.238.yyy.yyy
000 interface mast0/eth2 85.238.yyy.yyy
000 interface mast0/eth0.1113 10.13.0.1
000 interface mast0/eth0.1113 10.13.0.1
000 interface mast0/eth0.1114 10.14.0.1
000 interface mast0/eth0.1114 10.14.0.1
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
000 - disallowed 2 subnets: 10.13.0.0/16, 192.168.18.0/24
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=64, keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=64, keysizemin=96, keysizemax=448
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,32,64} trans={0,32,648} attrs={0,32,432}
000
000 "hpc": 192.168.18.0/24===85.238.xxx.xxx<85.238.xxx.xxx>…85.182.zzz.zzz<85.182.zzz.zzz>===192.168.165.0/24; erouted; eroute owner: #34
000 "hpc": myip=unset; hisip=unset;
000 "hpc": ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "hpc": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth1;
000 "hpc": dpd: action:restart; delay:30; timeout:120;
000 "hpc": newest ISAKMP SA: #35; newest IPsec SA: #34;
000 "hpc": IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict
000 "hpc": IKE algorithms found: AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)
000 "hpc": IKE algorithm newest: AES_CBC_256-SHA1-MODP1024
000 "hpc": ESP algorithms wanted: AES(12)_256-SHA1(2)_000; flags=-strict
000 "hpc": ESP algorithms loaded: AES(12)_256-SHA1(2)_160
000 "hpc": ESP algorithm newest: AES_256-HMAC_SHA1; pfsgroup=<Phase1>
000
000 #35: "hpc":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 85475s; newest ISAKMP; lastdpd=28s(seq in:14775 out:0); idle; import:admin initiate
000 #34: "hpc":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 329s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #34: "hpc" esp.6b38386c at 85.182.zzz.zzz esp.4ab1e66 at 85.238.xxx.xxx tun.103d at 85.182.zzz.zzz tun.103e at 85.238.xxx.xxx ref=125 refhim=123
000 #1: "hpc":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_EXPIRE in 570s; lastdpd=238s(seq in:7283 out:0); idle; import:admin initiate
000
service ipsec status
IPsec running - pluto pid: 5724
pluto pid 5724
No tunnels up
ipsec policy
stack: mast
OUT 0 192.168.18.0/24 -> 192.168.165.0/24 tun0x103d at 85.182.zzz.zzz ref:123 him:0
OUT 0 192.168.18.0/24 -> 192.168.165.0/24 tun0x103f at 85.182.zzz.zzz ref:127 him:0
ping -I eth0 192.168.165.226
PING 192.168.165.226 (192.168.165.226) from 192.168.18.1 eth0: 56(84) bytes of data.
64 bytes from 192.168.165.226: icmp_seq=1 ttl=126 time=43.5 ms
64 bytes from 192.168.165.226: icmp_seq=2 ttl=126 time=42.6 ms
64 bytes from 192.168.165.226: icmp_seq=3 ttl=126 time=42.4 ms
Questions:
1. Why - "No tunnels up" ?
2. Why - policy is only OUT ? Where IN ?
3. Other side can't send to me echo requests, but I can… Why ?
Peter
More information about the Users
mailing list