[Openswan Users] Routing between OpenSWAN / IPSEC tunnels

Jon Fox jon at sacredregion.com
Mon Nov 21 00:05:11 EST 2016


You need to remember that ipsec connection definitions are at their most 
basic a method of telling ipsec that you want to route packets to and 
from rightsubnet and leftsubnet, and that the connection will be handled 
by hosts right and left respectively.  If you examine your ipsec 
definitions, you will find that nowhere have you said that you wanted 
ipsec to route packets to and from 172.18/16 and 172.19/16.

-Jon

On 11/20/2016 9:40 PM, Jason Martin wrote:
> I am trying to connect multiple Amazon VPCs (across regions)
> together using OpenSWAN and Amazon VGW's. The router instance
> can ping to hosts in both VPCs, and traffic is attempting to
> cross the router, but is getting dropped.
>
> In this scenario there are two VPCs being connected, and a
> instance that happens to be in a 3rd VPC is performing the
> routing and acting as a hub. I am attempting to essentially
> reimplement the Transit VPC function
> (https://aws.amazon.com/blogs/aws/aws-solution-transit-vpc/),
> without the Cisco CSR and automated lambda configuration.
>
> My issue is that the hub is able to reach both East and West,
> but packets from either end arrive on hub but reach no further.
>
> Topology:
> West (172.19.0.0/16) - (hub) - East (172.18.0.0/16). Hub is
> connecting to both ends via VGW's, so cleartext packets for
> east/west never leave Hub. As per normal VGW behavior, two
> tunnels exist between each end and HUB.
>
> The basis for this configuration is
> https://github.com/patrickbcullen/Openswan-VPC, modified to
> support a 2nd set of tunnels. One oddity about this script is it
> set ups a 'network namespace'
> (http://man7.org/linux/man-pages/man8/ip-netns.8.html) to handle
> all the ipsec and routing.
>
> The hub can ping nodes in east and west via the IPSEC tunnels.
> The VGW's agree that ipsec and BGP is up, the the East/West
> subnets see the propagated routes. The hub has routes to both
> East and West. Iptables is fully open. rp_filter is set to 0 and
> forwarding / ip_forward is set to 1 in sysctl.
>
> I set up a ping generator in West that is attempting to ping
> East. The packets reach the openswan network namespace in hub:
>
> 16:38:49.311665 IP 35.163.220.45 > 169.254.255.3:
> ESP(spi=0x0a790d98,seq=0x4f5), length 132
> 16:38:49.311665 IP 172.19.58.64 > 172.18.57.207: ICMP echo
> request, id 411, seq 1113, length 64
>
> I have NFLOG / ulogd2 setup in iptables. It shows:
>
> RAW-PREROUTING IN=eth0 OUT= MAC=d6:fd:61:4b:73:42:6a:3a:bb:e2:33:75:08:00 SRC=172.19.58.64 DST=172.18.57.207 LEN=84 TOS=00 PREC=0x00 TTL=254 ID=49803 DF PROTO=ICMP TYPE=8 CODE=0 ID=411 SEQ=1155 MARK=0
> NAT-PREROUTING IN=eth0 OUT= MAC=d6:fd:61:4b:73:42:6a:3a:bb:e2:33:75:08:00 SRC=172.19.58.64 DST=172.18.57.207 LEN=84 TOS=00 PREC=0x00 TTL=254 ID=49803 DF PROTO=ICMP TYPE=8 CODE=0 ID=411 SEQ=1155 MARK=0
>
> However the packet never reaches the FORWARD iptables chain:
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>
> Pinging from East to West fails similarly.
>
> The hub can ping both the source and destination:
>
> # ping -c 1 172.18.57.207
> 64 bytes from 172.18.57.207: icmp_seq=1 ttl=254 time=1.74 ms
> # ping -c 1 172.19.58.64
> 64 bytes from 172.19.58.64: icmp_seq=1 ttl=254 time=94.3 ms
>
> Any suggestions on what might be blocking packets from
> transiting hub?
>
> The host is a AWS EC2 AMI, latest version:
> Linux version 4.4.30-32.54.amzn1.x86_64 (mockbuild at gobi-build-60008) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Thu Nov 10 15:52:05 UTC 2016ux
> Linux Openswan U2.6.37/K4.4.30-32.54.amzn1.x86_64 (netkey)
>
> My iptables rules (all ACCEPT, only NFLOGs):
> # Generated by iptables-save v1.4.18 on Fri Nov 18 16:40:41 2016
> *mangle
> :PREROUTING ACCEPT [3648:404080]
> :INPUT ACCEPT [2490:306808]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1802:171212]
> :POSTROUTING ACCEPT [1802:171212]
> -A INPUT -j NFLOG --nflog-prefix  MAN-INPUT --nflog-group 5
> -A OUTPUT -j NFLOG --nflog-prefix  MAN-OUTPUT --nflog-group 5
> -A POSTROUTING -j NFLOG --nflog-prefix  MAN-POSTROUTING
> --nflog-group 5
> COMMIT
> # Completed on Fri Nov 18 16:40:41 2016
> # Generated by iptables-save v1.4.18 on Fri Nov 18 16:40:41 2016
> *filter
> :INPUT ACCEPT [2490:306808]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1802:171212]
> -A INPUT -j NFLOG --nflog-prefix  FLT-INPUT --nflog-group 5
> -A OUTPUT -j NFLOG --nflog-prefix  FLT-OUTPUT --nflog-group 5
> COMMIT
> # Completed on Fri Nov 18 16:40:41 2016
> # Generated by iptables-save v1.4.18 on Fri Nov 18 16:40:41 2016
> *raw
> :PREROUTING ACCEPT [3648:404080]
> :OUTPUT ACCEPT [1802:171212]
> -A PREROUTING -j NFLOG --nflog-prefix  RAW-PREROUTING
> --nflog-group 5
> -A OUTPUT -j NFLOG --nflog-prefix  RAW-OUTPUT --nflog-group 5
> COMMIT
> # Completed on Fri Nov 18 16:40:41 2016
> # Generated by iptables-save v1.4.18 on Fri Nov 18 16:40:41 2016
> *nat
> :PREROUTING ACCEPT [1158:97272]
> :INPUT ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> -A PREROUTING -j NFLOG --nflog-prefix  NAT-PREROUTING
> --nflog-group 5
> -A POSTROUTING -j NFLOG --nflog-prefix  NAT-POSTROUTING
> --nflog-group 5
> COMMIT
>
> IPSec config:
> # /etc/ipsec.conf - Openswan IPsec configuration file
> #
> # Manual:     ipsec.conf.5
> #
>
> version 2.0     # conforms to second version of ipsec.conf
> specification
>
> # basic configuration
> config setup
>          protostack=netkey
>          nat_traversal=no
>          virtual_private=
>          oe=off
>
> conn awstunnel1
>          authby=secret
>          auto=start
>          left=169.254.255.2
>          leftid=169.254.255.2
>          right=35.163.197.247
>          rightid=35.163.197.247
>          type=tunnel
>          ikelifetime=8h
>          keylife=1h
>          phase2alg=aes128-sha1;modp1024
>          ike=aes128-sha1
>          auth=esp
>          keyingtries=%forever
>          aggrmode=no
>          keyexchange=ike
>          ikev2=never
>          leftsubnet=169.254.12.53/30
>          rightsubnet=0.0.0.0/0
>          dpddelay=10
>          dpdtimeout=30
>          dpdaction=restart_by_peer
> conn awstunnel2
>          authby=secret
>          auto=start
>          left=169.254.255.3
>          leftid=169.254.255.3
>          right=35.163.220.45
>          rightid=35.163.220.45
>          type=tunnel
>          ikelifetime=8h
>          keylife=1h
>          phase2alg=aes128-sha1;modp1024
>          ike=aes128-sha1
>          auth=esp
>          keyingtries=%forever
>          aggrmode=no
>          keyexchange=ike
>          ikev2=never
>          leftsubnet=169.254.12.221/30
>          rightsubnet=0.0.0.0/0
>          dpddelay=10
>          dpdtimeout=30
>          dpdaction=restart_by_peer
> conn awstunnel3
>          authby=secret
>          auto=start
>          left=169.254.255.4
>          leftid=169.254.255.4
>          right=52.45.134.147
>          rightid=52.45.134.147
>          type=tunnel
>          ikelifetime=8h
>          keylife=1h
>          phase2alg=aes128-sha1;modp1024
>          ike=aes128-sha1
>          auth=esp
>          keyingtries=%forever
>          aggrmode=no
>          keyexchange=ike
>          ikev2=never
>          leftsubnet=169.254.47.13/30
>          rightsubnet=0.0.0.0/0
>          dpddelay=10
>          dpdtimeout=30
>          dpdaction=restart_by_peer
> conn awstunnel4
>          authby=secret
>          auto=start
>          left=169.254.255.5
>          leftid=169.254.255.5
>          right=52.45.232.151
>          rightid=52.45.232.151
>          type=tunnel
>          ikelifetime=8h
>          keylife=1h
>          phase2alg=aes128-sha1;modp1024
>          ike=aes128-sha1
>          auth=esp
>          keyingtries=%forever
>          aggrmode=no
>          keyexchange=ike
>          ikev2=never
>          leftsubnet=169.254.47.1/30
>          rightsubnet=0.0.0.0/0
>          dpddelay=10
>          dpdtimeout=30
>          dpdaction=restart_by_peer
>
> (I'm omitting the secrets)
>
> BGP configuration:
>
> # cat /etc/quagga/bgpd.conf
> hostname ip-172-28-10-214
> password xx
> enable password xx
> !
> log file /var/log/quagga/bgpd.log
> debug bgp events
> debug bgp zebra
> debug bgp updates
> debug bgp filters
> debug bgp fsm
> !
> router bgp 65001
>      bgp router-id 52.55.78.109
>      network 169.254.12.54/30
>      neighbor 169.254.12.53 remote-as 7224
>      neighbor 169.254.12.53 soft-reconfiguration inbound
>      neighbor 169.254.12.53 route-map rm_peer_1_out out
>      network 169.254.12.222/30
>      neighbor 169.254.12.221 remote-as 7224
>      neighbor 169.254.12.221 soft-reconfiguration inbound
>      neighbor 169.254.12.221 route-map rm_peer_1_out out
>      network 169.254.47.14/30
>      neighbor 169.254.47.13 remote-as 7224
>      neighbor 169.254.47.13 soft-reconfiguration inbound
>      neighbor 169.254.47.13 route-map rm_peer_1_out out
>      network 169.254.47.2/30
>      neighbor 169.254.47.1 remote-as 7224
>      neighbor 169.254.47.1 soft-reconfiguration inbound
>      neighbor 169.254.47.1 route-map rm_peer_1_out out
> line vty
> !
> ip prefix-list localprefix seq 5 permit 172.18.0.0/16
> ip prefix-list remoteprefix seq 5 permit any
> ! Suppress the AWS AS
> route-map rm_peer_1_out permit 5
>   match ip address prefix-list localprefix
>   set as-path exclude 7224
> ! Suppress the AWS AS, synthetically extend the AS PATH
> ! For any vpc that isn't in the same region
> route-map rm_peer_1_out permit 6
>   match ip address prefix-list remoteprefix
>   set as-path prepend 65001
>   set as-path exclude 7224
> ! Suppress advertisement for non-VPC addresses
> access-list vpcprefixes permit 172.0.0.0/8
> !
>
> Route table:
> default via 169.254.255.1 dev eth0
> 169.254.12.52/30 dev eth0  proto kernel  scope link  src 169.254.12.54
> 169.254.12.220/30 dev eth0  proto kernel  scope link  src 169.254.12.222
> 169.254.47.0/30 dev eth0  proto kernel  scope link  src 169.254.47.2
> 169.254.47.12/30 dev eth0  proto kernel  scope link  src 169.254.47.14
> 169.254.255.0/28 dev eth0  proto kernel  scope link  src 169.254.255.2
> 172.18.0.0/16 via 169.254.47.13 dev eth0  proto zebra  metric 100
> 172.19.0.0/16 via 169.254.12.221 dev eth0  proto zebra  metric 100
>
> sysctl:
> net.ipv4.conf.default.forwarding = 1
> net.ipv4.conf.eth0.forwarding = 1
> net.ipv4.conf.lo.forwarding = 1
> net.ipv4.conf.veth1.forwarding = 1
> net.ipv4.ip_forward = 1
>
> ipsec auto --status:
> 000 using kernel interface: netkey
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 169.254.255.2
> 000 interface eth0/eth0 169.254.12.54
> 000 interface eth0/eth0 169.254.12.222
> 000 interface eth0/eth0 169.254.47.14
> 000 interface eth0/eth0 169.254.47.2
> 000 interface eth0/eth0 169.254.255.3
> 000 interface eth0/eth0 169.254.255.4
> 000 interface eth0/eth0 169.254.255.5
> 000 %myid = (none)
> 000 debug none
> 000
> 000 virtual_private (%priv):
> 000 - allowed 0 subnets:
> 000 - disallowed 0 subnets:
> 000 WARNING: Either virtual_private= is not specified, or there is a syntax
> 000          error in that line. 'left/rightsubnet=vhost:%priv' will not work!
> 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
> 000          private address space in internal use, it should be excluded!
> 000
> [SNIP algorithms]
> 000
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,8,64} trans={0,8,3072} attrs={0,8,2048}
> 000
> 000 "awstunnel1": 169.254.12.52/30===169.254.255.2<169.254.255.2>[+S=C]...35.163.197.247<35.163.197.247>[+S=C]===0.0.0.0/0; erouted; eroute owner: #8
> 000 "awstunnel1":     myip=unset; hisip=unset;
> 000 "awstunnel1":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "awstunnel1":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+SAREFTRACK+lKOD+rKOD; prio: 30,0; interface: eth0;
> 000 "awstunnel1":   dpd: action:restart_by_peer; delay:10; timeout:30;
> 000 "awstunnel1":   newest ISAKMP SA: #1; newest IPsec SA: #8;
> 000 "awstunnel1":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1536(5), AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict
> 000 "awstunnel1":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
> 000 "awstunnel1":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
> 000 "awstunnel1":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
> 000 "awstunnel1":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
> 000 "awstunnel1":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1024
> 000 "awstunnel2": 169.254.12.220/30===169.254.255.3<169.254.255.3>[+S=C]...35.163.220.45<35.163.220.45>[+S=C]===0.0.0.0/0; erouted; eroute owner: #7
> 000 "awstunnel2":     myip=unset; hisip=unset;
> 000 "awstunnel2":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "awstunnel2":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+SAREFTRACK+lKOD+rKOD; prio: 30,0; interface: eth0;
> 000 "awstunnel2":   dpd: action:restart_by_peer; delay:10; timeout:30;
> 000 "awstunnel2":   newest ISAKMP SA: #2; newest IPsec SA: #7;
> 000 "awstunnel2":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1536(5), AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict
> 000 "awstunnel2":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
> 000 "awstunnel2":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
> 000 "awstunnel2":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
> 000 "awstunnel2":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
> 000 "awstunnel2":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1024
> 000 "awstunnel3": 169.254.47.12/30===169.254.255.4<169.254.255.4>[+S=C]...52.45.134.147<52.45.134.147>[+S=C]===0.0.0.0/0; erouted; eroute owner: #5
> 000 "awstunnel3":     myip=unset; hisip=unset;
> 000 "awstunnel3":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "awstunnel3":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+SAREFTRACK+lKOD+rKOD; prio: 30,0; interface: eth0;
> 000 "awstunnel3":   dpd: action:restart_by_peer; delay:10; timeout:30;
> 000 "awstunnel3":   newest ISAKMP SA: #3; newest IPsec SA: #5;
> 000 "awstunnel3":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1536(5), AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict
> 000 "awstunnel3":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
> 000 "awstunnel3":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
> 000 "awstunnel3":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
> 000 "awstunnel3":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
> 000 "awstunnel3":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1024
> 000 "awstunnel4": 169.254.47.0/30===169.254.255.5<169.254.255.5>[+S=C]...52.45.232.151<52.45.232.151>[+S=C]===0.0.0.0/0; erouted; eroute owner: #6
> 000 "awstunnel4":     myip=unset; hisip=unset;
> 000 "awstunnel4":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "awstunnel4":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+SAREFTRACK+lKOD+rKOD; prio: 30,0; interface: eth0;
> 000 "awstunnel4":   dpd: action:restart_by_peer; delay:10; timeout:30;
> 000 "awstunnel4":   newest ISAKMP SA: #4; newest IPsec SA: #6;
> 000 "awstunnel4":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1536(5), AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict
> 000 "awstunnel4":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
> 000 "awstunnel4":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
> 000 "awstunnel4":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
> 000 "awstunnel4":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
> 000 "awstunnel4":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1024
> 000
> 000 #8: "awstunnel1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 881s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
> 000 #8: "awstunnel1" esp.5759bbc6 at 35.163.197.247 esp.7db002d9 at 169.254.255.2 tun.0 at 35.163.197.247 tun.0 at 169.254.255.2 ref=0 refhim=4294901761
> 000 #1: "awstunnel1":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 26389s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> 000 #7: "awstunnel2":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1114s; newest IPSEC; eroute owner; isakmp#2; idle; import:admin initiate
> 000 #7: "awstunnel2" esp.c817fa78 at 35.163.220.45 esp.a790d98 at 169.254.255.3 tun.0 at 35.163.220.45 tun.0 at 169.254.255.3 ref=0 refhim=4294901761
> 000 #2: "awstunnel2":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 26003s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> 000 #5: "awstunnel3":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1083s; newest IPSEC; eroute owner; isakmp#3; idle; import:admin initiate
> 000 #5: "awstunnel3" esp.98c8c16a at 52.45.134.147 esp.70f458c4 at 169.254.255.4 tun.0 at 52.45.134.147 tun.0 at 169.254.255.4 ref=0 refhim=4294901761
> 000 #3: "awstunnel3":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 26042s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> 000 #6: "awstunnel4":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 864s; newest IPSEC; eroute owner; isakmp#4; idle; import:admin initiate
> 000 #6: "awstunnel4" esp.7f07c4fa at 52.45.232.151 esp.80005db1 at 169.254.255.5 tun.0 at 52.45.232.151 tun.0 at 169.254.255.5 ref=0 refhim=4294901761
> 000 #4: "awstunnel4":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 26073s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> 000
>
>
> BGP state:
> # vtysh -c 'show ip bgp summary'
> BGP router identifier 52.55.78.109, local AS number 65001
> RIB entries 11, using 1056 bytes of memory
> Peers 4, using 18 KiB of memory
>
> Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
> 169.254.12.53   4  7224     185     188        0    0    0 00:30:21        1
> 169.254.12.221  4  7224     185     187        0    0    0 00:30:23        1
> 169.254.47.1    4  7224     185     188        0    0    0 00:30:22        1
> 169.254.47.13   4  7224     185     187        0    0    0 00:30:22        1
>
> # vtysh -c 'show ip bgp'
> BGP table version is 0, local router ID is 52.55.78.109
> Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
>                r RIB-failure, S Stale, R Removed
> Origin codes: i - IGP, e - EGP, ? - incomplete
>
>     Network          Next Hop            Metric LocPrf Weight Path
> *> 169.254.12.52/30 0.0.0.0                  0         32768 i
> *> 169.254.12.220/30
>                      0.0.0.0                  0         32768 i
> *> 169.254.47.0/30  0.0.0.0                  0         32768 i
> *> 169.254.47.12/30 0.0.0.0                  0         32768 i
> *> 172.18.0.0       169.254.47.13          100             0 7224 i
> *                   169.254.47.1           200             0 7224 i
> *  172.19.0.0       169.254.12.53          200             0 7224 i
> *>                  169.254.12.221         100             0 7224 i
>
> ip xfrm state (keys snipped) inside the namespace:
>
> # ip xfrm state
> src 35.163.197.247 dst 169.254.255.2
>      proto esp spi 0x7db002d9 reqid 16385 mode tunnel
>      replay-window 32 flag af-unspec
>      auth-trunc hmac(sha1) x 96
>      enc cbc(aes) x
>      anti-replay context: seq 0xfc, oseq 0x0, bitmap 0xffffffff
> src 169.254.255.2 dst 35.163.197.247
>      proto esp spi 0x5759bbc6 reqid 16385 mode tunnel
>      replay-window 32 flag af-unspec
>      auth-trunc hmac(sha1) x 96
>      enc cbc(aes) x
>      anti-replay context: seq 0x0, oseq 0x180, bitmap 0x00000000
> src 35.163.220.45 dst 169.254.255.3
>      proto esp spi 0x0a790d98 reqid 16389 mode tunnel
>      replay-window 32 flag af-unspec
>      auth-trunc hmac(sha1) x 96
>      enc cbc(aes) x
>      anti-replay context: seq 0x8c0, oseq 0x0, bitmap 0xffffffff
> src 169.254.255.3 dst 35.163.220.45
>      proto esp spi 0xc817fa78 reqid 16389 mode tunnel
>      replay-window 32 flag af-unspec
>      auth-trunc hmac(sha1) x 96
>      enc cbc(aes) x
>      anti-replay context: seq 0x0, oseq 0x14b, bitmap 0x00000000
> src 52.45.232.151 dst 169.254.255.5
>      proto esp spi 0x80005db1 reqid 16397 mode tunnel
>      replay-window 32 flag af-unspec
>      auth-trunc hmac(sha1) x 96
>      enc cbc(aes) x
>      anti-replay context: seq 0xe9, oseq 0x0, bitmap 0xffffffff
> src 169.254.255.5 dst 52.45.232.151
>      proto esp spi 0x7f07c4fa reqid 16397 mode tunnel
>      replay-window 32 flag af-unspec
>      auth-trunc hmac(sha1) x 96
>      enc cbc(aes) x
>      anti-replay context: seq 0x0, oseq 0x180, bitmap 0x00000000
> src 52.45.134.147 dst 169.254.255.4
>      proto esp spi 0x70f458c4 reqid 16393 mode tunnel
>      replay-window 32 flag af-unspec
>      auth-trunc hmac(sha1) x 96
>      enc cbc(aes) x
>      anti-replay context: seq 0xfc, oseq 0x0, bitmap 0xffffffff
> src 169.254.255.4 dst 52.45.134.147
>      proto esp spi 0x98c8c16a reqid 16393 mode tunnel
>      replay-window 32 flag af-unspec
>      auth-trunc hmac(sha1) x 96
>      enc cbc(aes) x
>      anti-replay context: seq 0x0, oseq 0x17f, bitmap 0x00000000
>
> ip xfrm policy inside the namespace:
>
> # ip xfrm policy
> src 169.254.12.52/30 dst 0.0.0.0/0
>      dir out priority 2176 ptype main
>      tmpl src 169.254.255.2 dst 35.163.197.247
>          proto esp reqid 16385 mode tunnel
> src 0.0.0.0/0 dst 169.254.12.52/30
>      dir fwd priority 2176 ptype main
>      tmpl src 35.163.197.247 dst 169.254.255.2
>          proto esp reqid 16385 mode tunnel
> src 0.0.0.0/0 dst 169.254.12.52/30
>      dir in priority 2176 ptype main
>      tmpl src 35.163.197.247 dst 169.254.255.2
>          proto esp reqid 16385 mode tunnel
> src 169.254.12.220/30 dst 0.0.0.0/0
>      dir out priority 2176 ptype main
>      tmpl src 169.254.255.3 dst 35.163.220.45
>          proto esp reqid 16389 mode tunnel
> src 0.0.0.0/0 dst 169.254.12.220/30
>      dir fwd priority 2176 ptype main
>      tmpl src 35.163.220.45 dst 169.254.255.3
>          proto esp reqid 16389 mode tunnel
> src 0.0.0.0/0 dst 169.254.12.220/30
>      dir in priority 2176 ptype main
>      tmpl src 35.163.220.45 dst 169.254.255.3
>          proto esp reqid 16389 mode tunnel
> src 169.254.47.0/30 dst 0.0.0.0/0
>      dir out priority 2176 ptype main
>      tmpl src 169.254.255.5 dst 52.45.232.151
>          proto esp reqid 16397 mode tunnel
> src 0.0.0.0/0 dst 169.254.47.0/30
>      dir fwd priority 2176 ptype main
>      tmpl src 52.45.232.151 dst 169.254.255.5
>          proto esp reqid 16397 mode tunnel
> src 0.0.0.0/0 dst 169.254.47.0/30
>      dir in priority 2176 ptype main
>      tmpl src 52.45.232.151 dst 169.254.255.5
>          proto esp reqid 16397 mode tunnel
> src 169.254.47.12/30 dst 0.0.0.0/0
>      dir out priority 2176 ptype main
>      tmpl src 169.254.255.4 dst 52.45.134.147
>          proto esp reqid 16393 mode tunnel
> src 0.0.0.0/0 dst 169.254.47.12/30
>      dir fwd priority 2176 ptype main
>      tmpl src 52.45.134.147 dst 169.254.255.4
>          proto esp reqid 16393 mode tunnel
> src 0.0.0.0/0 dst 169.254.47.12/30
>      dir in priority 2176 ptype main
>      tmpl src 52.45.134.147 dst 169.254.255.4
>          proto esp reqid 16393 mode tunnel
> src ::/0 dst ::/0
>      socket out priority 0 ptype main
> src ::/0 dst ::/0
>      socket in priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
>      socket out priority 0 ptype main
> [repeats snipped]
>
> ip rule list inside the namespace:
>
> # ip rule list
> 0:  from all lookup local
> 32766:  from all lookup main
> 32767:  from all lookup default
>
> ip addr list inside the namespace:
>
> # ip addr list
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>      inet 127.0.0.1/8 scope host lo
>         valid_lft forever preferred_lft forever
>      inet6 ::1/128 scope host
>         valid_lft forever preferred_lft forever
> 6: eth0 at if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
>      link/ether d6:fd:61:4b:73:42 brd ff:ff:ff:ff:ff:ff link-netnsid 0
>      inet 169.254.255.2/28 scope global eth0
>         valid_lft forever preferred_lft forever
>      inet 169.254.12.54/30 scope global eth0
>         valid_lft forever preferred_lft forever
>      inet 169.254.12.222/30 scope global eth0
>         valid_lft forever preferred_lft forever
>      inet 169.254.47.14/30 scope global eth0
>         valid_lft forever preferred_lft forever
>      inet 169.254.47.2/30 scope global eth0
>         valid_lft forever preferred_lft forever
>      inet 169.254.255.3/28 scope global secondary eth0
>         valid_lft forever preferred_lft forever
>      inet 169.254.255.4/28 scope global secondary eth0
>         valid_lft forever preferred_lft forever
>      inet 169.254.255.5/28 scope global secondary eth0
>         valid_lft forever preferred_lft forever
>      inet6 fe80::d4fd:61ff:fe4b:7342/64 scope link
>         valid_lft forever preferred_lft forever
> 8: veth1 at if7: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
>      link/ether 8e:9a:f6:27:83:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0
>
> ifconfig inside the namespace:
>
> # ifconfig -a
> eth0      Link encap:Ethernet  HWaddr D6:FD:61:4B:73:42
>            inet addr:169.254.255.2  Bcast:0.0.0.0  Mask:255.255.255.240
>            inet6 addr: fe80::d4fd:61ff:fe4b:7342/64 Scope:Link
>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>            RX packets:3803 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:2076 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 txqueuelen:1000
>            RX bytes:570566 (557.1 KiB)  TX bytes:270108 (263.7 KiB)
>
> lo        Link encap:Local Loopback
>            inet addr:127.0.0.1  Mask:255.0.0.0
>            inet6 addr: ::1/128 Scope:Host
>            UP LOOPBACK RUNNING  MTU:65536  Metric:1
>            RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 txqueuelen:1
>            RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
>
> veth1     Link encap:Ethernet  HWaddr 8E:9A:F6:27:83:FE
>            BROADCAST MULTICAST  MTU:1500  Metric:1
>            RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 txqueuelen:1000
>            RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
>
> Pfkey:
> # cat /proc/net/pfkey
> sk       RefCnt Rmem   Wmem   User   Inode
>
> Kernel config:
> CONFIG_XFRM=y
> CONFIG_XFRM_ALGO=m
> CONFIG_XFRM_USER=m
> CONFIG_XFRM_SUB_POLICY=y
> CONFIG_XFRM_MIGRATE=y
> CONFIG_XFRM_STATISTICS=y
> CONFIG_XFRM_IPCOMP=m
> CONFIG_IP_ADVANCED_ROUTER=y
> CONFIG_INET_XFRM_TUNNEL=m
> CONFIG_INET_XFRM_MODE_TRANSPORT=m
> CONFIG_INET_XFRM_MODE_TUNNEL=m
> CONFIG_INET_XFRM_MODE_BEET=m
> CONFIG_INET6_XFRM_TUNNEL=m
> CONFIG_INET6_XFRM_MODE_TRANSPORT=m
> CONFIG_INET6_XFRM_MODE_TUNNEL=m
> CONFIG_INET6_XFRM_MODE_BEET=m
> CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
> CONFIG_SECURITY_NETWORK_XFRM=y
>
> Thank you,
> -Jason Martin
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20161120/7e2f6b6d/attachment-0001.html>


More information about the Users mailing list