Wednesday, June 28, 2017

Cloudstack strongswan 5.2 Remote access vpn configuration

Cloudstack 4.10 uses the strongswan 5.2 for the vpn service.

The below post is about the strongswan 5.2 remote access vpn configuration and connecting the vpn from the windows L2TP client.

root@r-154-QA:~# ipsec --version
Linux strongSwan U5.2.1/K3.2.0-4-amd64
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.

root@r-154-QA:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 02:00:7c:b8:00:05 brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.1/24 brd 10.1.1.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 0e:00:a9:fe:01:e8 brd ff:ff:ff:ff:ff:ff
    inet 169.254.1.232/16 brd 169.254.255.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 1e:00:8d:00:00:12 brd ff:ff:ff:ff:ff:ff
    inet 10.147.46.106/24 brd 10.147.46.255 scope global eth2
7: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN qlen 3
    link/ppp
    inet 10.1.2.1 peer 10.1.2.2/32 scope global ppp0
9: ppp1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN qlen 3
    link/ppp
    inet 10.1.2.1 peer 10.1.2.3/32 scope global ppp1
root@r-154-QA:~#


Strongswan 5.2 Remote access vpn configuration:

root@r-154-QA:~# cat /etc/ipsec.d/l2tp.conf
#ipsec remote access vpn configuration
conn L2TP-PSK
        authby=psk
        pfs=no
        rekey=no
        keyingtries=3
        keyexchange=ikev1
        forceencaps=yes
        leftfirewall=yes
        leftnexthop=%defaultroute
        type=transport
        #
        # ----------------------------------------------------------
        # The VPN server.
        #
        # Allow incoming connections on the external network interface.
        # If you want to use a different interface or if there is no
        # defaultroute, you can use:   left=your.ip.addr.ess
        #
 left=10.147.46.106
        #
        leftprotoport=17/1701
        # If you insist on supporting non-updated Windows clients,
        # you can use:    leftprotoport=17/%any
        #
        # ----------------------------------------------------------
        # The remote user(s).
        #
        # Allow incoming connections only from this IP address.
        right=%any
        # If you want to allow multiple connections from any IP address,
        # you can use:    right=%any
        #
        rightprotoport=17/%any
        #
        # ----------------------------------------------------------
        # Change 'ignore' to 'add' to enable this configuration.
        #
        rightsubnetwithin=0.0.0.0/0
        auto=add
root@r-154-QA:~#

root@r-154-QA:~# cat /etc/ipsec.d/ipsec.any.secrets
: PSK "aHM9g54CbvuBDgRsa6MeyCsm"
root@r-154-QA:~#
root@r-154-QA:~# cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
    load_modular = yes
    plugins {
        include strongswan.d/charon/*.conf
    }
}

include strongswan.d/*.conf
root@r-154-QA:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

config setup

include /etc/ipsec.d/*.conf
root@r-154-QA:~#

root@r-154-QA:~# cat /etc/xl2tpd/xl2tpd.conf
[lns default]
ip range = 10.1.2.2-10.1.2.8
local ip = 10.1.2.1
require chap = yes
refuse pap = yes
pppoptfile =    /etc/ppp/options.xl2tpd
root@r-154-QA:~#     
root@r-154-QA:~# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client    server    secret            IP addresses


test * test *
root@r-154-QA:~# cat /etc/ppp/options.xl2tpd
proxyarp
ipcp-accept-local
ipcp-accept-remote
noccp
idle 1800
auth
crtscts
mtu 1410
mru 1410
nodefaultroute
debug
lock
connect-delay 5000
ms-dns 10.1.2.1




Connection from the windows L2TP client:

 1. Ping from the VM to cloudstack guest VM ip



2. Below are the screens showing L2TP settings in the windows.




1. When you get the below Error:809 while connecting remote access vpn from the windows follow the instruction below to add windows registry for AssumeUDPEncapsulationContextOnSendRule


Step 1: Login to the PC as Administrator or an user who is a member of the Administrator Group.

Step 2: Click Start > Run or Start > All Programs > Accessories > Run and type regedit.

Step 3: Locate the entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent.

Step 4: Create a new DWORD (32-bit) value (Edit > New).

Step 5: Add AssumeUDPEncapsulationContextOnSendRule and save.

Step 6: Modify the new entry and change Value Data from 0 to 2.

Value 0 -> Cannot establish security associations with servers that are localted behind NAT devices.
Value 2 -> Can establish security associations with servers that are located behind NAT devices.

Step 7: Reboot the computer and try to setup the connection one more time. 

Ref: https://support.sonicwall.com/kb/sw13197 

Posted by at 2 comments:

Monday, June 5, 2017

cloudstack strongswan ipsec site to site s2s vpn configuration


This post explains about  the site to site (s2s) vpn configuration between two cloudstack vpcs.

1.  Two VPCs vpc1 and vpc2



2. vpc1 source nat public address

3. vpc2 source nat public address

4. vpc customer gateway path

5. Adding vpn customer gateway.
a. For vpc customer gateway configuration, add one customer gateway with the vpc1 details  like vpc1 source nat  public ip and vpc1 cidr
b. Add the second customer  gateway with the vpc2 details  like vpc2 source nat  public ip and vpc2 cidr



6. Click on the SITE TO SITE VPNS as shown in highlighted in the Router section for both vpc1 and vpc2









7.  Click on the VPN Connection drop down as shown below.

8. Click on the Create VPN Connection which is there on right top corner.


9. The below pop up will be shown. 
One important thing here is that for first vpn connection select the passive. For the second one do not check passive. For vpc1 vpn connection select the vpn customer gateway vpc2CG (which contations the details of the vpc2)
If passive is not selected then the vpn connection is initiated from the VR of that vpc.



10. VPN connection status after step 9,  the vpn is in connected state.


11.   vpc1 VR is - r-135-QA
        vpc2 VR is - r-136-QA

Below are strongswan vpn config, vpn connection status and logs are shown.




root@r-135-QA:~# ipsec --version
Linux strongSwan U5.2.1/K3.2.0-4-amd64
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
root@r-135-QA:~#

root@r-135-QA:~# cat /etc/ipsec.d/ipsec.vpn-10.147.52.102.conf
#conn for vpn-10.147.52.102
conn vpn-10.147.52.102
 left=10.147.46.108
 leftsubnet=10.1.0.0/16
 leftnexthop=10.147.46.1
 right=10.147.52.102
 rightsubnet=10.2.0.0/16
 type=tunnel
 authby=secret
 keyexchange=ike
 ike=aes128-sha1-modp1536
 ikelifetime=24h
 esp=aes128-sha1
 lifetime=1h
 pfs=no
 keyingtries=2
 auto=start
 forceencaps=no
root@r-135-QA:~#
root@r-135-QA:~# cat /etc/ipsec.d/ipsec.vpn-10.147.52.102.secrets
10.147.46.108 10.147.52.102 : PSK "123456789"
root@r-135-QA:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 0e:00:a9:fe:01:13 brd ff:ff:ff:ff:ff:ff
    inet 169.254.1.19/16 brd 169.254.255.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 1e:00:f9:00:00:14 brd ff:ff:ff:ff:ff:ff
    inet 10.147.46.108/24 brd 10.147.46.255 scope global eth1
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 02:00:29:c5:00:05 brd ff:ff:ff:ff:ff:ff
    inet 10.1.2.1/24 brd 10.1.2.255 scope global eth3
6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 02:00:45:73:00:06 brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.1/24 brd 10.1.1.255 scope global eth4
8: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 1e:00:2a:00:00:34 brd ff:ff:ff:ff:ff:ff
    inet 10.147.52.101/24 brd 10.147.52.255 scope global eth2
root@r-135-QA:~#
root@r-135-QA:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.2.0-4-amd64, x86_64):
  uptime: 51 minutes, since Jun 05 07:15:27 2017
  malloc: sbrk 675840, mmap 0, used 549904, free 125936
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon test-vectors ldap pkcs11 aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem gcrypt af-alg fips-prf gmp xcbc cmac hmac ctr ccm curl attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
Listening IP addresses:
  169.254.1.19
  10.147.46.108
  10.1.2.1
  10.1.1.1
  10.147.52.101
Connections:
vpn-10.147.52.102:  10.147.46.108...10.147.52.102  IKEv1/2
vpn-10.147.52.102:   local:  [10.147.46.108] uses pre-shared key authentication
vpn-10.147.52.102:   remote: [10.147.52.102] uses pre-shared key authentication
vpn-10.147.52.102:   child:  10.1.0.0/16 === 10.2.0.0/16 TUNNEL
    L2TP-PSK:  172.26.0.151...%any  IKEv1
    L2TP-PSK:   local:  [172.26.0.151] uses pre-shared key authentication
    L2TP-PSK:   remote: uses pre-shared key authentication
    L2TP-PSK:   child:  dynamic[udp/l2f] === 0.0.0.0/0[udp] TRANSPORT
Security Associations (1 up, 0 connecting):
vpn-10.147.52.102[2]: ESTABLISHED 50 minutes ago, 10.147.46.108[10.147.46.108]...10.147.52.102[10.147.52.102]
vpn-10.147.52.102[2]: IKEv2 SPIs: 51aecc83ad55e205_i 8ed67b171663f02e_r*, pre-shared key reauthentication in 22 hours
vpn-10.147.52.102[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
vpn-10.147.52.102{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c636a5c6_i cd256516_o
vpn-10.147.52.102{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 35 minutes
vpn-10.147.52.102{1}:   10.1.0.0/16 === 10.2.0.0/16
root@r-135-QA:~#
root@r-135-QA:~#tail -f /var/log/cloud.log

Jun  5 08:40:46 localhost charon: 16[IKE] initiating IKE_SA vpn-10.147.52.102[3] to 10.147.52.102
Jun  5 08:40:48 localhost charon: 11[IKE] 10.147.52.102 is initiating an IKE_SA
Jun  5 08:40:48 localhost charon: 13[IKE] IKE_SA vpn-10.147.52.102[6] established between 10.147.46.108[10.147.46.108]...10.147.52.102[10.147.52.102]
Jun  5 08:40:48 localhost charon: 13[IKE] CHILD_SA vpn-10.147.52.102{4} established with SPIs cf36ee34_i c39bf95d_o and TS 10.1.0.0/16 === 10.2.0.0/16
Jun  5 08:40:55 localhost sshd[20622]: Accepted publickey for root from 169.254.0.1 port 55388 ssh2
Jun  5 08:40:55 localhost sshd[20622]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jun  5 08:40:55 localhost sshd[20622]: pam_unix(sshd:session): session closed for user root
Jun  5 08:41:25 localhost sshd[20671]: Accepted publickey for root from 169.254.0.1 port 55393 ssh2
Jun  5 08:41:25 localhost sshd[20671]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jun  5 08:41:25 localhost sshd[20671]: pam_unix(sshd:session): session closed for user root


Read more »
Posted by at No comments:

Sunday, June 4, 2017

strongswan ikev1 site to site vpn tunnel between SRX and cloudstack Virtual Router


Strongswan site to site (s2s) vpn tunnel between SRX and debian router.

Cloudstack VR details (Left):

 public interface - eth2 -  10.147.52.20/24 
    Guest/LAN interface - eth3  -  10.1.1.1/24


SRX device details (Right)
public interface -  fe-0/0/4  -  10.102.196.249/24
Guest interface -  fe-0/0/1 -  192.168.2.30/24



VR config details:
---------------------

root@r-242-VM:/etc/ipsec.d# cat ipsec.vpn-10.102.196.249.conf
conn vpn-10.102.196.249
  left=10.147.30.119
  leftsubnet=10.0.0.0/8
  leftnexthop=10.147.30.1
  right=10.102.196.249
  rightsubnet=192.168.2.0/24
  type=tunnel
  authby=secret
  keyexchange=ikev1
  ike=aes128-sha1-modp1024
  ikelifetime=86400s
  esp=aes128-sha1-modp1024
  lifetime=3600s
  pfs=yes
  keyingtries=2
  auto=start
root@r-242-VM:/etc/ipsec.d#
root@r-242-VM:/etc/ipsec.d# cat ipsec.vpn-10.102.196.249.secrets
10.147.30.119 10.102.196.249 : PSK "123"
root@r-242-VM:/etc/ipsec.d#


root@r-242-VM:/etc/ipsec.d# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 02:00:0b:ae:00:74 brd ff:ff:ff:ff:ff:ff
    inet 10.147.28.114/24 brd 10.147.28.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 1e:00:f6:00:00:0f brd ff:ff:ff:ff:ff:ff
    inet 10.147.30.119/24 brd 10.147.30.255 scope global eth1
    inet 10.147.30.110/24 brd 10.147.30.255 scope global secondary eth1
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 1e:00:49:01:a8:bd brd ff:ff:ff:ff:ff:ff
    inet 10.147.52.20/24 brd 10.147.52.255 scope global eth2
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 02:00:65:36:00:14 brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.1/24 brd 10.1.1.255 scope global eth3
root@r-242-VM:/etc/ipsec.d#
root@r-242-VM:/etc/ipsec.d# ip route show
default via 10.147.30.1 dev eth1
10.1.1.0/24 dev eth3  proto kernel  scope link  src 10.1.1.1
10.147.28.0/24 dev eth0  proto kernel  scope link  src 10.147.28.114
10.147.30.0/24 dev eth1  proto kernel  scope link  src 10.147.30.119
10.147.52.0/24 dev eth2  proto kernel  scope link  src 10.147.52.20
10.147.59.0/24 via 10.147.28.1 dev eth0
root@r-242-VM:/etc/ipsec.d#




root@r-242-VM:/etc/ipsec.d# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

config setup
   nat_traversal=yes
   charonstart=yes
   plutostart=yes

include /etc/ipsec.d/*.conf
root@r-242-VM:/etc/ipsec.d#

SRX config:


root@SRX-HYD% cat ikev1RouteBased.txt
set version 12.1X46-D30.2
set system host-name SRX-HYD
set system time-zone Asia/Calcutta
set system root-authentication encrypted-password "$1$Upd9DiSK$Kki512FXx6z.2swzlFdoL0"
set system name-server 10.103.128.16
set system login user cloudadmin full-name cloud
set system login user cloudadmin uid 100
set system login user cloudadmin class super-user
set system login user cloudadmin authentication encrypted-password "$1$or4KmtVp$Sj2aKP/LSDRMRi3Aoz1D6/"
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management http interface fe-0/0/0.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system syslog file kmd-logs daemon info
set system syslog file kmd-logs match KMD
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 description "Management Interface"
set interfaces fe-0/0/0 unit 0 family inet address 10.102.195.249/22
set interfaces fe-0/0/1 description "Guest network"
set interfaces fe-0/0/1 vlan-tagging
set interfaces fe-0/0/1 unit 868 vlan-id 868
set interfaces fe-0/0/1 unit 868 family inet filter input vlan-input-868
set interfaces fe-0/0/1 unit 868 family inet filter output vlan-output-868
set interfaces fe-0/0/1 unit 868 family inet address 192.168.2.30/24
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 description "Public Network"
set interfaces fe-0/0/4 vlan-tagging
set interfaces fe-0/0/4 unit 100 vlan-id 100
set interfaces fe-0/0/4 unit 100 family inet address 10.102.196.249/24
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces st0 unit 0 family inet
set interfaces st0 unit 1 family inet
set interfaces vlan unit 0
set interfaces vlan unit 100 family inet address 10.102.196.249/24
set routing-options static route 10.102.196.0/24 next-hop 10.102.196.1
set routing-options static route 10.102.196.0/24 install
set routing-options static route 10.102.192.0/22 next-hop 10.102.192.1
set routing-options static route 10.102.192.0/22 install
set routing-options static route 0.0.0.0/0 next-hop 10.102.196.1
set routing-options static route 10.1.1.0/24 next-hop st0.0
set routing-options static route 172.16.1.0/24 next-hop st0.1
set protocols stp
set security ike traceoptions file ike.log
set security ike traceoptions flag all
set security ike proposal Ikecloud description Ikecloud
set security ike proposal Ikecloud authentication-method pre-shared-keys
set security ike proposal Ikecloud dh-group group2
set security ike proposal Ikecloud authentication-algorithm md5
set security ike proposal Ikecloud encryption-algorithm 3des-cbc
set security ike proposal Ikecloud lifetime-seconds 86400
set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
set security ike proposal ike-phase1-proposal dh-group group2
set security ike proposal ike-phase1-proposal authentication-algorithm sha1
set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc
set security ike proposal d-ike-phase1-proposal authentication-method pre-shared-keys
set security ike proposal d-ike-phase1-proposal dh-group group2
set security ike proposal d-ike-phase1-proposal authentication-algorithm sha1
set security ike proposal d-ike-phase1-proposal encryption-algorithm aes-128-cbc
set security ike policy ike-policy1 mode main
set security ike policy ike-policy1 description ikepolicy
set security ike policy ike-policy1 proposals Ikecloud
set security ike policy ike-policy1 pre-shared-key ascii-text "$9$k.Tzn/CuBI"
set security ike policy deepthi-ike-policy mode main
set security ike policy deepthi-ike-policy proposal-set standard
set security ike policy deepthi-ike-policy pre-shared-key ascii-text "$9$3oyt6tuBIEyev"
set security ike policy ike-phase1-policy mode main
set security ike policy ike-phase1-policy proposals ike-phase1-proposal
set security ike policy ike-phase1-policy pre-shared-key ascii-text "$9$tC5duIESreWX7"
set security ike policy d-ike-phase1-policy mode main
set security ike policy d-ike-phase1-policy proposals d-ike-phase1-proposal
set security ike policy d-ike-phase1-policy pre-shared-key ascii-text "$9$9JEfAO1EcyKWL"
set security ike gateway ike-gate ike-policy ike-policy1
set security ike gateway ike-gate address 10.147.30.20
set security ike gateway ike-gate external-interface fe-0/0/4.100
set security ike gateway ike-gate general-ikeid
set security ike gateway ike-gate version v1-only
set security ike gateway deepthi-ike-gate ike-policy deepthi-ike-policy
set security ike gateway deepthi-ike-gate address 10.147.30.114
set security ike gateway deepthi-ike-gate external-interface fe-0/0/4.100
set security ike gateway deepthi-ike-gate version v1-only
set security ike gateway gw-cp ike-policy ike-phase1-policy
set security ike gateway gw-cp address 10.147.30.119
set security ike gateway gw-cp external-interface fe-0/0/4.100
set security ike gateway gw-cp version v1-only
set security ike gateway gw-newcp ike-policy d-ike-phase1-policy
set security ike gateway gw-newcp address 10.112.110.196
set security ike gateway gw-newcp external-interface fe-0/0/4.100
set security ike gateway gw-newcp version v1-only
set security ipsec traceoptions flag all
set security ipsec proposal Ipseccloud description Ipseccloud
set security ipsec proposal Ipseccloud protocol esp
set security ipsec proposal Ipseccloud authentication-algorithm hmac-md5-96
set security ipsec proposal Ipseccloud encryption-algorithm 3des-cbc
set security ipsec proposal Ipseccloud lifetime-seconds 3600
set security ipsec proposal ipsec-phase2-proposal protocol esp
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
set security ipsec proposal d-ipsec-phase2-proposal protocol esp
set security ipsec proposal d-ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal d-ipsec-phase2-proposal encryption-algorithm aes-128-cbc
set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
set security ipsec policy d-ipsec-phase2-policy perfect-forward-secrecy keys group2
set security ipsec policy d-ipsec-phase2-policy proposals ipsec-phase2-proposal
set security ipsec policy vpn-policy1 description prashanthpolicy
set security ipsec policy vpn-policy1 proposals Ipseccloud
set security ipsec vpn ike-vpn-cp bind-interface st0.0
set security ipsec vpn ike-vpn-cp ike gateway gw-cp
set security ipsec vpn ike-vpn-cp ike proxy-identity local 192.168.2.0/24
set security ipsec vpn ike-vpn-cp ike proxy-identity remote 10.0.0.0/8
set security ipsec vpn ike-vpn-cp ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn ike-vpn-cp establish-tunnels immediately
set security ipsec vpn ike-vpn-newcp bind-interface st0.1
set security ipsec vpn ike-vpn-newcp ike gateway gw-newcp
set security ipsec vpn ike-vpn-newcp ike proxy-identity local 192.168.2.0/24
set security ipsec vpn ike-vpn-newcp ike proxy-identity remote 10.0.0.0/8
set security ipsec vpn ike-vpn-newcp ike ipsec-policy d-ipsec-phase2-policy
set security ipsec vpn ike-vpn ike gateway ike-gate
set security ipsec vpn ike-vpn ike ipsec-policy vpn-policy1
set security ipsec vpn ike-vpn establish-tunnels immediately
set security address-book book1 address srx 192.168.2.0/24
set security address-book book1 attach zone trust
set security address-book book2 address cp 10.1.1.0/24
set security address-book book2 attach zone vpn-st0
set security address-book book2new address newcp 172.16.1.0/24
set security address-book book2new attach zone vpn-newcp
set security flow tcp-mss ipsec-vpn mss 1350
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source pool 10-102-196-177 address 10.102.196.177/32
set security nat source rule-set nat-out from zone trust
set security nat source rule-set nat-out to zone untrust
set security nat source rule-set nat-out rule interface-nat match source-address 192.168.0.0/16
set security nat source rule-set nat-out rule interface-nat match destination-address 0.0.0.0/0
set security nat source rule-set nat-out rule interface-nat then source-nat off
set security nat destination rule-set untrust from zone untrust
set security nat proxy-arp interface fe-0/0/4.100 address 10.102.196.177/32
set security nat proxy-arp interface fe-0/0/4.100 address 10.102.196.190/32
set security nat proxy-arp interface fe-0/0/4.100 address 10.102.196.191/32
set security policies from-zone untrust to-zone untrust policy accept-all match source-address any
set security policies from-zone untrust to-zone untrust policy accept-all match destination-address any
set security policies from-zone untrust to-zone untrust policy accept-all match application any
set security policies from-zone untrust to-zone untrust policy accept-all then permit
set security policies from-zone trust to-zone trust policy accept-all match source-address any
set security policies from-zone trust to-zone trust policy accept-all match destination-address any
set security policies from-zone trust to-zone trust policy accept-all match application any
set security policies from-zone trust to-zone trust policy accept-all then permit
set security policies from-zone trust to-zone vpn-st0 policy vpn-tr-cp match source-address srx
set security policies from-zone trust to-zone vpn-st0 policy vpn-tr-cp match destination-address cp
set security policies from-zone trust to-zone vpn-st0 policy vpn-tr-cp match application any
set security policies from-zone trust to-zone vpn-st0 policy vpn-tr-cp then permit
set security policies from-zone vpn-st0 to-zone trust policy vpn-cp-tr match source-address cp
set security policies from-zone vpn-st0 to-zone trust policy vpn-cp-tr match destination-address srx
set security policies from-zone vpn-st0 to-zone trust policy vpn-cp-tr match application any
set security policies from-zone vpn-st0 to-zone trust policy vpn-cp-tr then permit
set security policies from-zone trust to-zone vpn-newcp policy vpn-tr-newcp match source-address srx
set security policies from-zone trust to-zone vpn-newcp policy vpn-tr-newcp match destination-address newcp
set security policies from-zone trust to-zone vpn-newcp policy vpn-tr-newcp match application any
set security policies from-zone trust to-zone vpn-newcp policy vpn-tr-newcp then permit
set security policies from-zone vpn-newcp to-zone trust policy vpn-newcp-tr match source-address newcp
set security policies from-zone vpn-newcp to-zone trust policy vpn-newcp-tr match destination-address srx
set security policies from-zone vpn-newcp to-zone trust policy vpn-newcp-tr match application any
set security policies from-zone vpn-newcp to-zone trust policy vpn-newcp-tr then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces fe-0/0/0.0
set security zones security-zone trust interfaces fe-0/0/1.868 host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/1.868 host-inbound-traffic protocols all
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces fe-0/0/4.100 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces fe-0/0/4.100 host-inbound-traffic protocols all
set security zones security-zone untrust interfaces vlan.100 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces vlan.100 host-inbound-traffic protocols all
set security zones security-zone vpn-st0 interfaces st0.0
set security zones security-zone vpn-newcp interfaces st0.1
set firewall filter trust term 10-102-196-177 from source-address 10.0.160.0/20
set firewall filter trust term 10-102-196-177 then count 10-102-196-177
set firewall filter trust term 10-102-196-177 then accept
set firewall filter untrust term 10-102-196-177 from destination-address 10.102.196.177/32
set firewall filter untrust term 10-102-196-177 then count 10-102-196-177
set firewall filter untrust term 10-102-196-177 then accept
set firewall filter untrust term 10-102-196-190-34 from source-address 0.0.0.0/0
set firewall filter untrust term 10-102-196-190-34 from destination-address 10.102.196.190/32
set firewall filter untrust term 10-102-196-190-34 from protocol tcp
set firewall filter untrust term 10-102-196-190-34 from destination-port 1-65525
set firewall filter untrust term 10-102-196-190-34 then count 10-102-196-190-i
set firewall filter untrust term 10-102-196-190-34 then accept
set firewall filter untrust term 10-102-196-191-35 from source-address 0.0.0.0/0
set firewall filter untrust term 10-102-196-191-35 from destination-address 10.102.196.191/32
set firewall filter untrust term 10-102-196-191-35 from protocol tcp
set firewall filter untrust term 10-102-196-191-35 from destination-port 1-65525
set firewall filter untrust term 10-102-196-191-35 then count 10-102-196-191-i
set firewall filter untrust term 10-102-196-191-35 then accept
set firewall filter vlan-output-868 term vlan-output-868 then count vlan-output-868
set firewall filter vlan-output-868 term vlan-output-868 then accept
set firewall filter vlan-input-868 term vlan-input-868 then count vlan-input-868
set firewall filter vlan-input-868 term vlan-input-868 then accept
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
set vlans vlan100 vlan-id 100
set vlans vlan100 l3-interface vlan.100
root@SRX-HYD% 


VR more logs:
--------------------

debian strongswan 4.5.2:



root@r-242-VM:/etc/ipsec.d# iptables -L -nv
Chain INPUT (policy DROP 64 packets, 10413 bytes)
 pkts bytes target     prot opt in     out     source               destination        
 368K   50M NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.18         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            225.0.0.50         
    2   152 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
    9  1197 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          
 315K   39M ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3922 state NEW,ESTABLISHED
17503 4953K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  eth3   *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    3   212 ACCEPT     udp  --  eth3   *       0.0.0.0/0            10.1.1.1             udp dpt:53
    0     0 ACCEPT     tcp  --  eth3   *       0.0.0.0/0            10.1.1.1             tcp dpt:53
    0     0 ACCEPT     tcp  --  eth3   *       0.0.0.0/0            10.1.1.1             state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  eth3   *       0.0.0.0/0            10.1.1.1             state NEW tcp dpt:8080
    0     0 ACCEPT     udp  --  eth1   *       10.102.196.249       10.147.30.119        udp dpt:500
    0     0 ACCEPT     udp  --  eth1   *       10.102.196.249       10.147.30.119        udp dpt:4500
    0     0 ACCEPT     esp  --  eth1   *       10.102.196.249       10.147.30.119      



root@r-242-VM:/etc/ipsec.d# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 02:00:0b:ae:00:74 brd ff:ff:ff:ff:ff:ff
    inet 10.147.28.114/24 brd 10.147.28.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 1e:00:f6:00:00:0f brd ff:ff:ff:ff:ff:ff
    inet 10.147.30.119/24 brd 10.147.30.255 scope global eth1
    inet 10.147.30.110/24 brd 10.147.30.255 scope global secondary eth1
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 1e:00:49:01:a8:bd brd ff:ff:ff:ff:ff:ff
    inet 10.147.52.20/24 brd 10.147.52.255 scope global eth2
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 02:00:65:36:00:14 brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.1/24 brd 10.1.1.255 scope global eth3
root@r-242-VM:/etc/ipsec.d#
root@r-242-VM:/etc/ipsec.d# ip route show
default via 10.147.30.1 dev eth1
10.1.1.0/24 dev eth3  proto kernel  scope link  src 10.1.1.1
10.147.28.0/24 dev eth0  proto kernel  scope link  src 10.147.28.114
10.147.30.0/24 dev eth1  proto kernel  scope link  src 10.147.30.119
10.147.52.0/24 dev eth2  proto kernel  scope link  src 10.147.52.20
10.147.59.0/24 via 10.147.28.1 dev eth0
root@r-242-VM:/etc/ipsec.d#



root@r-242-VM:~# ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.147.28.114:4500
000 interface eth0/eth0 10.147.28.114:500
000 interface eth1/eth1 10.147.30.119:4500
000 interface eth1/eth1 10.147.30.119:500
000 interface eth1/eth1 10.147.30.110:4500
000 interface eth1/eth1 10.147.30.110:500
000 interface eth2/eth2 10.147.52.20:4500
000 interface eth2/eth2 10.147.52.20:500
000 interface eth3/eth3 10.1.1.1:4500
000 interface eth3/eth3 10.1.1.1:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
000 "L2TP-PSK": 172.26.0.151[172.26.0.151]:17/1701---10.147.30.1...%any[%any]:17/%any==={0.0.0.0/0}; unrouted; eroute owner: #0
000 "L2TP-PSK":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK":   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,0; interface: ;
000 "L2TP-PSK":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "vpn-10.102.196.249": 10.0.0.0/8===10.147.30.119[10.147.30.119]---10.147.30.1...10.102.196.249[10.102.196.249]===192.168.2.0/24; erouted; eroute owner: #95
000 "vpn-10.102.196.249":   ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2
000 "vpn-10.102.196.249":   policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 8,24; interface: eth1;
000 "vpn-10.102.196.249":   newest ISAKMP SA: #94; newest IPsec SA: #95;
000 "vpn-10.102.196.249":   IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1024
000 "vpn-10.102.196.249":   ESP proposal: AES_CBC_128/HMAC_SHA1/<Phase1>
000
000 #95: "vpn-10.102.196.249" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3309s; newest IPSEC; eroute owner
000 #95: "vpn-10.102.196.249" esp.a6fe03a@10.102.196.249 (0 bytes) esp.c2eab35c@10.147.30.119 (0 bytes); tunnel
000 #94: "vpn-10.102.196.249" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 28509s; newest ISAKMP
000
Status of IKEv2 charon daemon (strongSwan 4.5.2):
  uptime: 16 hours, since May 02 12:17:40 2017
  malloc: sbrk 1351680, mmap 0, used 269088, free 1082592
  worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0
  loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Listening IP addresses:
  10.147.28.114
  10.147.30.119
  10.147.30.110
  10.147.52.20
  10.1.1.1
Connections:
Security Associations:
  none
root@r-242-VM:~#


root@r-242-VM:/etc/ipsec.d# tcpdump -i eth1 host 10.102.196.249 -nvvve
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes



04:22:18.681629 f0:b2:e5:81:12:65 > 1e:00:f6:00:00:0f, ethertype IPv4 (0x0800), length 330: (tos 0xc0, ttl 62, id 22958, offset 0, flags [none], proto UDP (17), length 316)
    10.102.196.249.500 > 10.147.30.119.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 73d5a739cff930b6->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1 spi=73d5a739cff930b6
            (t: #0 id=ike (type=enc value=aes)(type=keylen value=0080)(type=group desc value=modp1024)(type=hash value=sha1)(type=lifetype value=sec)(type=lifeduration len=4 value=00007080)(type=auth value=preshared))))
    (vid: len=16 afcad71368a1f1c96b8696fc77570100)
    (vid: len=16 27bab5dc01ea0760ea4e3190ac27c0d0)
    (vid: len=16 6105c422e76847e43f9684801292aecd)
    (vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)
    (vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
    (vid: len=16 90cb80913ebb696e086381b5ec427b1f)
    (vid: len=16 7d9419a65310ca6f2c179d9215529d56)
    (vid: len=16 4a131c81070358455c5728f20e95452f)
    (vid: len=28 699369228741c6d4ca094c93e242c9de19e7b7c60000000500000500)
04:22:18.681838 1e:00:f6:00:00:0f > f0:b2:e5:81:12:65, ethertype IPv4 (0x0800), length 202: (tos 0x0, ttl 64, id 48685, offset 0, flags [DF], proto UDP (17), length 188)
    10.147.30.119.500 > 10.102.196.249.500: [bad udp cksum 0xf922 -> 0xc064!] isakmp 1.0 msgid 00000000 cookie 73d5a739cff930b6->3b437ff8e8291d0b: phase 1 R ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #0 id=ike (type=enc value=aes)(type=keylen value=0080)(type=group desc value=modp1024)(type=hash value=sha1)(type=lifetype value=sec)(type=lifeduration len=4 value=00007080)(type=auth value=preshared))))
    (vid: len=16 882fe56d6fd20dbc2251613b2ebe5beb)
    (vid: len=8 09002689dfd6b712)
    (vid: len=16 afcad71368a1f1c96b8696fc77570100)
    (vid: len=16 4a131c81070358455c5728f20e95452f)
04:22:18.704975 f0:b2:e5:81:12:65 > 1e:00:f6:00:00:0f, ethertype IPv4 (0x0800), length 270: (tos 0xc0, ttl 62, id 22959, offset 0, flags [none], proto UDP (17), length 256)
    10.102.196.249.500 > 10.147.30.119.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 73d5a739cff930b6->3b437ff8e8291d0b: phase 1 I ident:
    (ke: key len=128 41d168b0f9adb58e26605c19998b20c9b9299fc59c8b0c0bee78790a2802c3a013714d7963d3e49f4affc613f79d70a1fc2be6e1d061e79e1184299906ec77b1c940edecab136bc31d0c1d06b85752c679f001d4c87340e5f50da88ed07bdac1bfa4677d9ae308626fcfd91f3ca991da13f740d3e900b2599b7b15b3ea65c229)
    (nonce: n len=16 f9ed15f833e970624e62fff20ffb6f1c)
    (pay20)
    (pay20)
04:22:18.708052 1e:00:f6:00:00:0f > f0:b2:e5:81:12:65, ethertype IPv4 (0x0800), length 270: (tos 0x0, ttl 64, id 48689, offset 0, flags [DF], proto UDP (17), length 256)
    10.147.30.119.500 > 10.102.196.249.500: [bad udp cksum 0xf966 -> 0x6b41!] isakmp 1.0 msgid 00000000 cookie 73d5a739cff930b6->3b437ff8e8291d0b: phase 1 R ident:
    (ke: key len=128 e4ea201711a2561dcd5cd3ebb7a79a6c67d79775f7a850b796137eccef8e4b371dcabcf8b11e64f71ddaf66c109ebe0fd30f3611d4453f1e06b2f8e861004f2d3618e50bd753267888dab69e571d97a8fd4f5b2c1cfef01b2b7dbd63f6bff3b8b71005a058e028024ed92bfcf15bf07d8bf53f0640dab922a4acad155f42669c)
    (nonce: n len=16 3b19f5686aba936f952ffca5d6a92848)
    (pay20)
    (pay20)
04:22:18.728460 f0:b2:e5:81:12:65 > 1e:00:f6:00:00:0f, ethertype IPv4 (0x0800), length 134: (tos 0xc0, ttl 62, id 22960, offset 0, flags [none], proto UDP (17), length 120)
    10.102.196.249.500 > 10.147.30.119.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 73d5a739cff930b6->3b437ff8e8291d0b: phase 1 I ident[E]: [encrypted id]
04:22:18.728988 1e:00:f6:00:00:0f > f0:b2:e5:81:12:65, ethertype IPv4 (0x0800), length 118: (tos 0x0, ttl 64, id 48690, offset 0, flags [DF], proto UDP (17), length 104)
    10.147.30.119.500 > 10.102.196.249.500: [bad udp cksum 0xf8ce -> 0xcd3a!] isakmp 1.0 msgid 00000000 cookie 73d5a739cff930b6->3b437ff8e8291d0b: phase 1 R ident[E]: [encrypted id]
04:22:18.757571 f0:b2:e5:81:12:65 > 1e:00:f6:00:00:0f, ethertype IPv4 (0x0800), length 342: (tos 0xc0, ttl 62, id 22961, offset 0, flags [none], proto UDP (17), length 328)
    10.102.196.249.500 > 10.147.30.119.500: [udp sum ok] isakmp 1.0 msgid 99c7ea8b cookie 73d5a739cff930b6->3b437ff8e8291d0b: phase 2/others I oakley-quick[E]: [encrypted hash]
04:22:18.760705 1e:00:f6:00:00:0f > f0:b2:e5:81:12:65, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 64, id 48692, offset 0, flags [DF], proto UDP (17), length 328)
    10.147.30.119.500 > 10.102.196.249.500: [bad udp cksum 0xf9ae -> 0x4a14!] isakmp 1.0 msgid 99c7ea8b cookie 73d5a739cff930b6->3b437ff8e8291d0b: phase 2/others R oakley-quick[E]: [encrypted hash]
04:22:18.823463 f0:b2:e5:81:12:65 > 1e:00:f6:00:00:0f, ethertype IPv4 (0x0800), length 102: (tos 0xc0, ttl 62, id 22962, offset 0, flags [none], proto UDP (17), length 88)
    10.102.196.249.500 > 10.147.30.119.500: [udp sum ok] isakmp 1.0 msgid 99c7ea8b cookie 73d5a739cff930b6->3b437ff8e8291d0b: phase 2/others I oakley-quick[E]: [encrypted hash]




root@r-242-VM:/etc/ipsec.d# ip -s xfrm state
src 10.147.30.119 dst 10.102.196.249
    proto esp spi 0xac6fbc7e(2893003902) reqid 16420(0x00004024) mode tunnel
    replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
    auth-trunc hmac(sha1) 0x113f7f0dfd3391b09d4cebe1828eec4d0f87b21e (160 bits) 96
    enc cbc(aes) 0xd6c90b451f66ceac528c5e48031de357 (128 bits)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-03 04:22:18 use -
    stats:
      replay-window 0 replay 0 failed 0
src 10.102.196.249 dst 10.147.30.119
    proto esp spi 0xc0273ad7(3223796439) reqid 16420(0x00004024) mode tunnel
    replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
    auth-trunc hmac(sha1) 0xf8498d08e047a042a4e3bbf4b4bd44107fe43d6a (160 bits) 96
    enc cbc(aes) 0x127971e3e8b3901fc34301711ab8960b (128 bits)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-03 04:22:18 use -
    stats:
      replay-window 0 replay 0 failed 0
root@r-242-VM:/etc/ipsec.d#

root@r-242-VM:/etc/ipsec.d# ip -s xfrm policy
src 10.0.0.0/8 dst 192.168.2.0/24 uid 0
    dir out action allow index 1417 priority 1923 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-03 04:22:18 use -
    tmpl src 10.147.30.119 dst 10.102.196.249
        proto esp spi 0x00000000(0) reqid 16420(0x00004024) mode tunnel
        level required share any
        enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.2.0/24 dst 10.0.0.0/8 uid 0
    dir fwd action allow index 1410 priority 1923 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-03 04:22:18 use -
    tmpl src 10.102.196.249 dst 10.147.30.119
        proto esp spi 0x00000000(0) reqid 16420(0x00004024) mode tunnel
        level required share any
        enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.2.0/24 dst 10.0.0.0/8 uid 0
    dir in action allow index 1400 priority 1923 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-03 04:22:18 use -
    tmpl src 10.102.196.249 dst 10.147.30.119
        proto esp spi 0x00000000(0) reqid 16420(0x00004024) mode tunnel
        level required share any
        enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket out action allow index 692 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket in action allow index 683 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket out action allow index 676 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket in action allow index 667 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket out action allow index 660 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket in action allow index 651 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket out action allow index 644 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket in action allow index 635 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket out action allow index 628 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket in action allow index 619 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket out action allow index 612 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use 2017-05-03 04:22:18
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket in action allow index 603 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use 2017-05-03 04:22:18
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket out action allow index 596 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket in action allow index 587 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket out action allow index 580 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket in action allow index 571 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket out action allow index 564 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket in action allow index 555 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket out action allow index 548 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket in action allow index 539 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket out action allow index 532 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket in action allow index 523 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket out action allow index 516 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket in action allow index 507 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src ::/0 dst ::/0 uid 0
    socket in action allow index 499 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft 0(bytes), hard 0(bytes)
      limit: soft 0(packets), hard 0(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src ::/0 dst ::/0 uid 0
    socket out action allow index 492 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft 0(bytes), hard 0(bytes)
      limit: soft 0(packets), hard 0(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src ::/0 dst ::/0 uid 0
    socket in action allow index 483 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft 0(bytes), hard 0(bytes)
      limit: soft 0(packets), hard 0(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src ::/0 dst ::/0 uid 0
    socket out action allow index 476 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft 0(bytes), hard 0(bytes)
      limit: soft 0(packets), hard 0(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src ::/0 dst ::/0 uid 0
    socket in action allow index 467 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft 0(bytes), hard 0(bytes)
      limit: soft 0(packets), hard 0(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src ::/0 dst ::/0 uid 0
    socket out action allow index 460 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft 0(bytes), hard 0(bytes)
      limit: soft 0(packets), hard 0(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket in action allow index 451 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft 0(bytes), hard 0(bytes)
      limit: soft 0(packets), hard 0(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket out action allow index 444 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft 0(bytes), hard 0(bytes)
      limit: soft 0(packets), hard 0(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket in action allow index 435 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft 0(bytes), hard 0(bytes)
      limit: soft 0(packets), hard 0(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket out action allow index 428 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft 0(bytes), hard 0(bytes)
      limit: soft 0(packets), hard 0(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use 2017-05-02 13:47:57
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket in action allow index 419 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft 0(bytes), hard 0(bytes)
      limit: soft 0(packets), hard 0(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use 2017-05-03 04:22:18
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket out action allow index 412 priority 0 ptype main share any flag  (0x00000000)
    lifetime config:
      limit: soft 0(bytes), hard 0(bytes)
      limit: soft 0(packets), hard 0(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2017-05-02 12:17:40 use -
root@r-242-VM:/etc/ipsec.d#


















Posted by at No comments:
Subscribe to: Posts (Atom)